xTom - 7 Quick and Easy Ways to Secure SSH on a Linux Server

7 Quick and Easy Ways to Secure SSH on a Linux Server

Learn how to secure your Linux server's SSH access with seven essential security measures, including key-based authentication, two-factor authentication, firewall configuration, and more.

Publish date: 11/9/2024

Secure Shell (SSH) is a fundamental tool for remotely managing Linux servers, providing encrypted communication channels for secure remote access and file transfers.

While SSH is inherently secure due to its encryption protocols, its widespread use across millions of servers makes it a prime target for cybercriminals and automated attacks. Every day, servers face countless unauthorized access attempts through SSH, ranging from simple brute-force attacks to sophisticated exploitation techniques.

Default SSH configurations, while functional, often prioritize convenience over security. This can leave your server vulnerable to various attack vectors, potentially compromising your entire system if breached.

Basically, as a system administrator or server owner, implementing proper SSH security measures isn't just best practice – it's essential for protecting your infrastructure, data, and services from unauthorized access. Otherwise, it's only a matter of time.

That said, in this article, we'll be sharing seven quick and easy methods to improve SSH security on your Linux server. These techniques are proven, and practical, and can be implemented within minutes by nearly anyone. Let's dive in.

1. Disable root login

Allowing the root user to log in directly via SSH poses a significant security risk.

If an attacker gains access to the root account, they have unrestricted control over your server.

How to disable root login

Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Note: While the underlying information is very similar, some steps throughout may slightly differ depending on your Linux distribution. For example, your default editor may differ from Nano, such as Vim. Also, if you're using a RHEL-based distribution (Red Hat Enterprise Linux, CentOS Stream, Fedora, AlmaLinux, Rocky Linux, etc.), you'll need to use dnf instead of apt.

Find the line that says PermitRootLogin and change it to:

PermitRootLogin no

Save the file and restart SSH:

sudo systemctl restart sshd

By disabling root login, users must log in with a non-privileged account and escalate privileges using sudo, adding an extra layer of security.

2. Use SSH key-based authentication and disable passwords

Password-based authentication is susceptible to brute-force attacks.

SSH key-based authentication uses cryptographic keys, which are significantly more secure.

How to set up SSH keys and disable password authentication

Generate SSH keys on your local machine:

ssh-keygen -t ed25519 -C "[email protected]"

Copy the public key to the server:

ssh-copy-id username@server_ip

Disable password authentication

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Set:

PasswordAuthentication no

Restart SSH:

sudo systemctl restart sshd

3. Change the default SSH port

Changing the default SSH port (22) can reduce the number of automated attacks and bots targeting your server.

How to change the SSH port

Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find the commented-out line Port 22 and uncomment it while changing it to a non-standard port, such as:

Port 2222

Then update your firewall to allow the new port (the following is using UFW, which is standard on Ubuntu and can easily be installed on Debian):

sudo ufw allow 2222/tcp

For FirewallD (RHEL/AlmaLinux/Rocky Linux/Fedora systems):

sudo firewall-cmd --permanent --add-port=2222/tcp 
sudo firewall-cmd --reload

Restart SSH:

sudo systemctl restart sshd

Note: Ensure that the chosen port is not used by other services and is allowed through any external firewalls.

4. Enable firewall and limit access

Using UFW (Uncomplicated Firewall)

Allow SSH on the new port:

sudo ufw allow 2222/tcp

Enable the firewall:

sudo ufw enable

Verify the status:

sudo ufw status

You can also restrict SSH access to specific IP addresses or ranges:

sudo ufw allow from your_ip_address to any port 2222

Using FirewallD

Allow SSH on the new port:

sudo firewall-cmd --permanent --add-port=2222/tcp

Reload FirewallD to apply changes:

sudo firewall-cmd --reload

Verify the status:

sudo firewall-cmd --list-all

Allow SSH access from specific IP address:

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="your_ip_address" port port="2222" protocol="tcp" accept'

Allow SSH access from specific subnet:

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="2222" protocol="tcp" accept'

Remove default SSH port if you've changed it:

sudo firewall-cmd --permanent --remove-service=ssh

Check rich rules:

sudo firewall-cmd --list-rich-rules

Note: As mentioned earlier, FirewallD is the default firewall management tool on RHEL-based systems, while UFW is more common on Debian-based systems (Ubuntu, Debian). Choose the appropriate firewall tool based on your distribution.

5. Use strong passwords and implement Fail2Ban

How to install and configure Fail2Ban

Install Fail2Ban:

sudo apt-get install fail2ban

Note: Remember, if you're using a RHEL-based distribution, you'll need to use dnf.

Create a local Fail2Ban configuration file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Restart Fail2Ban:

sudo systemctl restart fail2ban

6. Enable Two-Factor Authentication (2FA) for SSH

How to set up 2FA for SSH

Install Google Authenticator:

sudo apt-get install libpam-google-authenticator

Configure Google Authenticator for each user:

google-authenticator

Modify the SSH configuration:

sudo nano /etc/ssh/sshd_config

Add:

ChallengeResponseAuthentication yes

Edit the PAM SSH configuration:

sudo nano /etc/pam.d/sshd

Add the following line at the end:

auth required pam_google_authenticator.so

Restart SSH:

sudo systemctl restart sshd

7. Keep SSH and system updated

How to update SSH and the system:

For Debian/Ubuntu systems

Update package lists:

sudo apt-get update

Upgrade installed packages:

sudo apt-get upgrade

Upgrade distribution (if applicable):

sudo apt-get dist-upgrade

Set up automatic security updates:

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

For RHEL-based systems:

Update package lists:

sudo dnf check-update

Upgrade installed packages:

sudo dnf upgrade

For major system upgrades:

sudo dnf system-upgrade download --releasever=<version_number>
sudo dnf system-upgrade reboot

Set up automatic security updates:

# Install dnf-automatic
sudo dnf install dnf-automatic

# Enable and start the service
sudo systemctl enable --now dnf-automatic.timer

# Configure automatic updates
sudo nano /etc/dnf/automatic.conf

For either system, reboot if necessary (some updates require a system reboot):

sudo reboot

Conclusion

By implementing these seven methods, you can significantly improve your basic SSH security. And it takes very little time.

Why not give at least a few things on this list a go?

Thanks for reading!

If you're looking for reliable and secure hosting, anywhere from dedicated servers, to colocation or scalable NVMe KVM VPS, and beyond, xTom would love to help.

We've been around longer than a decade, and plan to be around a couple more! Give us a look, and don't be afraid to reach out.