10 Ways To Protect SSH On Your Linux Server

Secure an SSH link to your Linux system to protect your system and data. Device administrators and home users need to harden and defend internet-facing machines, but SSH can be difficult.

SSH stands for Secure Shell, and is a protocol designed to secure communication between different hosts using an encrypted link. The term “SSH” is used interchangeably to mean either the SSH protocol itself or the software tools that enable system administrators and users to make safe connections to remote computers using this protocol.

The SSH protocol is an encrypted protocol designed to provide a secure connection over an unprotected network such as the Internet. The Linux SSH is based on a portable version of the OpenSSH project. OpenSSH is the implementation of the protocol SSH. OpenSSH is recommended for remote login, backup, remote file transfer via SCP or SFTP, and more.

Share Post

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on skype
Skype
Share on pinterest
Pinterest
Share on email
Email
Share on whatsapp
WhatsApp

SSH is ideal for the security and integrity of data sharing between two networks and systems. The main benefit, however, is server authentication by the use of public-key cryptography. From time to time, there are reports about OpenSSH’s zero-day hack.

Implemented in a traditional client-server model, the SSH server accepts connections from SSH clients. The client is used to connect to the server and view the session to the remote user. The server acknowledges the connection and runs the session.

In 2006, the SSH protocol was modified from version 1 to version 2. It was a significant improvement. There have been so many changes and modifications, especially in terms of encryption and protection, that version 2 is not backward compatible with version 1. To avoid Versions 1 clients’ connections, you can decide that your device will only allow connections from version 2 clients.

All the changes we’re going to address will be done in the configuration files of SSH. You need to find an open SSH main server configuration file, as most security tips concentrate on changes to this file. Most Linux distributions can be found at:/etc/ssh/ sshd config.

10 Ways To Protect SSH On Your Linux Server

Use a different port than 22

Port 22 is the standard port for SSH connections. If you use a different port, it adds a little bit of security through obscurity to your system. Using a non-standard port can help with lowering the noise and bad traffic on port 22. Edit your sshd_config file, and set one different than 22:

Port 222

Use Protocol SSH 2 only

The earlier protocol, SSH 1, contains many security vulnerabilities. So you should be using SSH 2 instead of SSH 1. SSH 2 should be set to 2 by default. If not, you can change using

Protocol 2

Disable direct root login

It is bad practice to login as root on your Linux computer. You should log in as a regular user and use sudo to perform actions that require root privileges. Even more so, you shouldn’t allow root to log into your SSH server. Only regular users should be allowed to connect. The best way to protect direct root logins requires a primary user to login via SSH and then login as root if it’s indispensable.

Add the primary user for the SSH connection and set a new password:

useradd anon

passwd anon_1

Avoid listening on all interfaces

By default, the SSH server listens on all network interfaces. Secure this and allow SSH to listen only on one predefined interface:

ListenAddress XX.XX.XX.XX

Use public_keys instead of passwords

SSH keys provide a secure means of logging into an SSH server. Passwords can be guessed, cracked, or brute-forced. SSH keys are not open to such types of attacks.

When you generate SSH keys, you create a pair of tickets. One is the public key, and the other is the private key. The public access is installed on the servers you wish to connect to. The private key, as the name would suggest, is kept secure on your own computer.

You should be using public keys to login to SSH server security. You can use this link to configure an SSH login without a password.

After ensuring your key-based login is working correctly, you can disable password-based login using

PasswordAuthentication no

Enable two-factor authentication

You should enable two-factor authentication on your SSH server to make it more secure. So if someone tries to brute force your server, it can be blocked by 2-factor authentication.

Disable Empty Passwords

You should not allow remote login with an empty password. If you allow login with an empty password, your server is more vulnerable to the brute-force attack.

To disable empty password login set

PermitEmptyPasswords no

Limit connections using TCPW rappers

TCP Wrappers is an easy to understand access control list. It allows you to exclude and permit connections based on the connection request characteristics, such as IP address or hostname. TCP wrappers should be used in conjunction with, and not instead of, a properly configured firewall. If you use dynamic IPs and use Tcpwrappers, it will probably lock you out of your server.

Edit /etc/hosts.allow file and add this line to allow connections from your local network IP (replace “XX.XX.XX.XX” with your real public IP):

sshd : XX.XX.XX.XX

Limit SSH connections using a Firewall

If you are using an iptables firewall like CSF, you can set a limit to the incoming SSH connections and how many times it will fail before it gets blocked:

Edit /etc/csf/csf.conf and set:

LF_SSHD = “5”

Restart the firewall to apply changes:

csf -r

Restrict SSH logins to specific IP addresses

By default, SSH will accept connections from any external IP address. If you want to restrict SSH to only allow a link from a specific IP address, you can add a ListenAddress line.

For example, if you want to only accept SSH connections from IP address 192.168.1.2, you would add the line:

ListenAddress 192.168.7.2

After making any changes to the sshd_config file, do not forget to restart the SSH server.

sudo service ssh restart

Finally, if you don’t need SSH running on your computer at all, make sure it is disabled:

sudo systemctl stop sshd

sudo systemctl disable sshd

SSH is also one of the most commonly used network utilities on Linux and BSD servers. It can be a powerful tool for linking and managing servers, but it can also be your worst nightmare if you don’t protect it adequately. After making these improvements, your server would be more secure than other servers, and it would not be easy for attackers to access your server.

Glass Orb Linux

Basic LINUX commands

When you hear of Linux, most people think of a complex operating system that is only used by programmers. But it’s not as weird as

Read More »

Newsletter

Follow Us