Secure an SSH link to your Linux system to protect your system and data. Device administrators and home users need to harden and defend internet-facing machines, but SSH can be difficult.
SSH stands for Secure Shell, and is a protocol designed to secure communication between different hosts using an encrypted link. The term “SSH” is used interchangeably to mean either the SSH protocol itself or the software tools that enable system administrators and users to make safe connections to remote computers using this protocol.
The SSH protocol is an encrypted protocol designed to provide a secure connection over an unprotected network such as the Internet. The Linux SSH is based on a portable version of the OpenSSH project. OpenSSH is the implementation of the protocol SSH. OpenSSH is recommended for remote login, backup, remote file transfer via SCP or SFTP, and more.
SSH is ideal for the security and integrity of data sharing between two networks and systems. The main benefit, however, is server authentication by the use of public-key cryptography. From time to time, there are reports about OpenSSH’s zero-day hack.
Implemented in a traditional client-server model, the SSH server accepts connections from SSH clients. The client is used to connect to the server and view the session to the remote user. The server acknowledges the connection and runs the session.
In 2006, the SSH protocol was modified from version 1 to version 2. It was a significant improvement. There have been so many changes and modifications, especially in terms of encryption and protection, that version 2 is not backward compatible with version 1. To avoid Versions 1 clients’ connections, you can decide that your device will only allow connections from version 2 clients.
All the changes we’re going to address will be done in the configuration files of SSH. You need to find an open SSH main server configuration file, as most security tips concentrate on changes to this file. Most Linux distributions can be found at:/etc/ssh/ sshd config.
Port 22 is the standard port for SSH connections. If you use a different port, it adds a little bit of security through obscurity to your system. Using a non-standard port can help with lowering the noise and bad traffic on port 22. Edit your sshd_config file, and set one different than 22:
The earlier protocol, SSH 1, contains many security vulnerabilities. So you should be using SSH 2 instead of SSH 1. SSH 2 should be set to 2 by default. If not, you can change using
It is bad practice to login as root on your Linux computer. You should log in as a regular user and use sudo to perform actions that require root privileges. Even more so, you shouldn’t allow root to log into your SSH server. Only regular users should be allowed to connect. The best way to protect direct root logins requires a primary user to login via SSH and then login as root if it’s indispensable.
Add the primary user for the SSH connection and set a new password:
By default, the SSH server listens on all network interfaces. Secure this and allow SSH to listen only on one predefined interface:
SSH keys provide a secure means of logging into an SSH server. Passwords can be guessed, cracked, or brute-forced. SSH keys are not open to such types of attacks.
When you generate SSH keys, you create a pair of tickets. One is the public key, and the other is the private key. The public access is installed on the servers you wish to connect to. The private key, as the name would suggest, is kept secure on your own computer.
You should be using public keys to login to SSH server security. You can use this link to configure an SSH login without a password.
After ensuring your key-based login is working correctly, you can disable password-based login using
You should enable two-factor authentication on your SSH server to make it more secure. So if someone tries to brute force your server, it can be blocked by 2-factor authentication.
You should not allow remote login with an empty password. If you allow login with an empty password, your server is more vulnerable to the brute-force attack.
To disable empty password login set
TCP Wrappers is an easy to understand access control list. It allows you to exclude and permit connections based on the connection request characteristics, such as IP address or hostname. TCP wrappers should be used in conjunction with, and not instead of, a properly configured firewall. If you use dynamic IPs and use Tcpwrappers, it will probably lock you out of your server.
Edit /etc/hosts.allow file and add this line to allow connections from your local network IP (replace “XX.XX.XX.XX” with your real public IP):
sshd : XX.XX.XX.XX
If you are using an iptables firewall like CSF, you can set a limit to the incoming SSH connections and how many times it will fail before it gets blocked:
Edit /etc/csf/csf.conf and set:
LF_SSHD = “5”
Restart the firewall to apply changes:
By default, SSH will accept connections from any external IP address. If you want to restrict SSH to only allow a link from a specific IP address, you can add a ListenAddress line.
For example, if you want to only accept SSH connections from IP address 192.168.1.2, you would add the line:
After making any changes to the sshd_config file, do not forget to restart the SSH server.
sudo service ssh restart
Finally, if you don’t need SSH running on your computer at all, make sure it is disabled:
sudo systemctl stop sshd
sudo systemctl disable sshd
SSH is also one of the most commonly used network utilities on Linux and BSD servers. It can be a powerful tool for linking and managing servers, but it can also be your worst nightmare if you don’t protect it adequately. After making these improvements, your server would be more secure than other servers, and it would not be easy for attackers to access your server.