Table of Contents
Introduction
Imagine your computer as a castle, and SSH as the special key to enter it safely. But just like in any adventure, there are secrets to making your castle extra secure.
So get ready to explore, because we’re about to reveal some tricks that will make your castle unbreakable!
Change the Default SSH Port
The default port for SSH is 22, which is well-known and often targeted by attackers. By changing the port to a non-standard number, you can reduce the likelihood of automated attacks. To change the port, edit the Port directive in the /etc/ssh/sshd_config file and restart the SSH service.
Disable Root Login
Disabling root login is crucial because it prevents attackers from gaining full control of your system if they compromise the root account. To disable root login, set PermitRootLogin no in the sshd_config file and restart the SSH service.
Use Public Key Authentication
Public key authentication is more secure than password authentication because it relies on cryptographic keys. To enforce public key authentication, set PasswordAuthentication no and ensure that users have their public keys in the ~/.ssh/authorized_keys file on the server. Also, consider using stronger key types like Ed25519 or RSA with a minimum of 4096 bits.
Limit Access with Allow/Deny Users
You can restrict SSH access to specific users by using the AllowUsers directive to permit certain accounts and DenyUsers to exclude others. This can be particularly useful in environments where only a select group of users should have SSH access.
Manage SSH Keys Properly
Ensure that your SSH keys are strong and secure. Use a passphrase with your private key and avoid using weak or easily guessable passwords. Store your private keys in a secure location and set appropriate permissions to prevent unauthorized access.
Use Strong Ciphers and Algorithms
Configure your SSH server to use strong, modern ciphers and key exchange algorithms. In the sshd_config file, you can specify the Ciphers and KexAlgorithms directives to ensure that only secure options are used.
Implement a Firewall
Firewall rules can be used to restrict access to the SSH port. By allowing only trusted IP addresses, you can significantly reduce the attack surface. Use tools like iptables, ufw, or firewalld to manage your firewall rules.
Set Up Fail2Ban
Fail2Ban is a valuable tool that helps protect your server against brute-force attacks. It monitors log files for repeated failed login attempts and bans the offending IP addresses. Install and configure Fail2Ban to protect your SSH server.
Limit the Number of Authentication Attempts
To prevent brute-force attacks, limit the number of authentication attempts allowed within a certain timeframe. The MaxAuthTries directive in the sshd_config file can be used to specify the maximum number of tries before the client is disconnected.
Use TCP Wrappers for Access Control
TCP Wrappers provide an additional layer of access control. By editing the /etc/hosts.allow and /etc/hosts.deny files, you can specify which IP addresses or ranges are allowed or denied access to the SSH service.
Keep SSH Software Updated
Regularly check for and install updates to your SSH server software. Updates often include security patches that address vulnerabilities, so it’s important to keep your system up-to-date.
Monitor SSH Logs
SSH logs can provide valuable insights into potential security issues. Regularly review the logs, typically found at /var/log/auth.log or /var/log/secure, for any suspicious activity or repeated failed login attempts.
Implement Two-Factor Authentication (2FA)
For an extra layer of security, consider using two-factor authentication for SSH access. This requires users to provide a second form of identification, such as a code from an authenticator app, in addition to their password or key.
Configure Idle Timeouts
To prevent unauthorized access via forgotten or unattended sessions, configure idle timeouts with the ClientAliveInterval and ClientAliveCountMax directives. This will send keep-alive messages to the client and disconnect the session if there is no response after a specified period of inactivity.
Use Chroot Environment
If you must allow a user to log in with a password, using a chroot environment can limit their session to a specific directory, preventing access to other parts of the system. This can be set up using the ChrootDirectory directive in the sshd_config file.