Best Practices for Securing SSH Connections on Linux Servers

Securing SSH connections on Linux

Discover the best practices for securing SSH connections on Linux servers. Learn essential security tips like disabling root login, using SSH keys, and more for better protection and control over your server.

Table of Contents

Introduction

Secure Shell (SSH) is a widely used protocol for remote administration and file transfer on Linux servers. However, due to its popularity, SSH is often a target for malicious actors looking to gain unauthorized access to your server. Securing SSH connections is crucial for maintaining server integrity, confidentiality, and availability. In this post, we’ll explore the best practices for securing SSH connections on Linux servers, with practical examples and explanations.

By following these tips, you can significantly reduce the risk of unauthorized access and ensure that your server remains safe and resilient against attacks.

Use SSH Keys Instead of Password Authentication

One of the simplest yet most effective ways to secure your SSH connections is by using SSH key pairs rather than passwords. SSH keys provide a higher level of security because they are difficult to brute-force compared to traditional passwords.

Why SSH Keys are More Secure

  • Strength of Encryption: SSH keys use asymmetric cryptography, meaning there’s a private key on your machine and a public key on the server. The public key is installed on the server, and only the corresponding private key can be used to authenticate the user.
  • No Brute-Force Risk: Unlike passwords, SSH keys are not susceptible to brute-force attacks since they rely on complex encryption algorithms.

How to Set Up SSH Key Authentication

  • Generate SSH Key Pair: On your local machine, run the following command to generate a new key pair:
				
					ssh-keygen -t rsa -b 4096

Follow the prompts to save the key and optionally add a passphrase for extra security.

Securing SSH connections on Linux

Photo by admingeek from Infotechys

  • Copy the Public Key to the Server: Use the ssh-copy-id command to copy your public key to the server:
				
					ssh-copy-id user@server_ip
  • Disable Password Authentication: After setting up SSH keys, it’s time to disable password-based login to enhance security. Edit the SSH configuration file on your server:
				
					sudo vim /etc/ssh/sshd_config

Find the line:

				
					PasswordAuthentication yes

And change it to:

				
					PasswordAuthentication no

Finally, restart SSH to apply the changes:

				
					sudo systemctl restart sshd

Disable Root Login Over SSH

Allowing direct root login over SSH is a security risk. If an attacker gains access to your SSH key or password, they would have complete control over the server. Therefore, it’s recommended to disable root login.

How to Disable Root Login

  • Open the SSH configuration file:
				
					sudo vim /etc/ssh/sshd_config

Find the line:

				
					PermitRootLogin yes

And change it to:

				
					PermitRootLogin no
  • Save the file and restart SSH:
				
					sudo systemctl restart sshd

By disabling root login, users will need to log in with a regular user account first, and then escalate privileges using sudo or su.

Use Two-Factor Authentication (2FA)

Adding an additional layer of security with two-factor authentication (2FA) is highly recommended. Even if an attacker manages to compromise your SSH key or password, they would still need the second factor to authenticate successfully.

How to Set Up 2FA for SSH

  • Install Google Authenticator: On the server, install the libpam-google-authenticator package:
				
					sudo apt-get install libpam-google-authenticator
  • Configure the PAM Module: Edit the PAM configuration for SSH:
				
					sudo vim /etc/pam.d/sshd

Add the following line at the end:

				
					auth required pam_google_authenticator.so
  • Enable 2FA for Your User: On your user account, run:
				
					google-authenticator

Follow the prompts to configure 2FA, then use an app like Google Authenticator or Authy on your phone to scan the provided QR code.

  • Update SSH Configuration: Edit the SSH configuration file to allow 2FA:
				
					sudo vim /etc/ssh/sshd_config

Set ChallengeResponseAuthentication to yes:

				
					ChallengeResponseAuthentication yes
  • Restart SSH:
				
					sudo systemctl restart sshd

Now, when logging in, you’ll be prompted for a code from your 2FA app, adding another layer of security to your SSH connection.

Limit SSH Access by IP Address

Restricting SSH access to specific IP addresses can reduce the attack surface of your server. Only trusted IP addresses should be allowed to connect via SSH.

How to Limit SSH Access

  • Edit the SSH Configuration:
				
					sudo nano /etc/ssh/sshd_config

Add the following line to allow only specific IP addresses:

				
					AllowUsers user@trusted_ip

Or you can use the sshd configuration to restrict access based on IP ranges:

				
					AllowUsers user@192.168.1.*
  • Restart SSH:
				
					sudo systemctl restart sshd

Change the Default SSH Port

The default SSH port (22) is well-known and often targeted by attackers. Changing the SSH port to a less common number can help reduce the risk of automated attacks.

How to Change the SSH Port

Edit the SSH configuration file:

				
					sudo vim /etc/ssh/sshd_config

Look for the line:

				
					Port 22

Change it to another number, such as 2222:

				
					Port 2222

Save the file and restart SSH:

				
					sudo systemctl restart sshd

Update your firewall rules to allow the new port:

				
					sudo ufw allow 2222/tcp && sudo ufw reload  # Ubuntu/Debian-based distributions
				
			
				
					sudo firewall-cmd --permanent --add-port=2222/tcp && sudo firewall-cmd --reload # RHEL/CentOS/Linux-based distributions

Implement Fail2Ban to Protect Against Brute-Force Attacks

Fail2Ban is a tool that scans log files for suspicious login attempts and blocks IP addresses that exceed the maximum allowed number of failed attempts. This helps prevent brute-force attacks on SSH.

How to Install and Configure Fail2Ban

  • Install Fail2Ban:
				
					sudo apt-get install fail2ban -y
  • Configure Fail2Ban for SSH: Edit the configuration file:
				
					sudo vim /etc/fail2ban/jail.local

Add or modify the section for SSH:

				
					[sshd]
enabled = true
port = ssh
maxretry = 3
bantime = 3600
  • Restart Fail2Ban:
				
					sudo systemctl restart fail2ban

Fail2Ban will now automatically block IP addresses that exceed the maximum number of failed login attempts, significantly improving SSH security.

Configure SSH Timeouts and Idle Session Limits

Timeouts and session limits are important for preventing unauthorized users from keeping idle sessions open indefinitely. This is especially important for shared environments or multi-user systems.

How to Configure SSH Timeouts

Set the ClientAliveInterval and ClientAliveCountMax parameters in the SSH configuration to automatically disconnect idle sessions.

  • Open the SSH configuration file:
				
					sudo vim /etc/ssh/sshd_config

Add or modify the following lines:

				
					ClientAliveInterval 300
ClientAliveCountMax 0

Finally, restart SSH:

				
					sudo systemctl restart sshd

Keep SSH and System Software Up to Date

One of the most important steps in maintaining server security is ensuring that your SSH software, system packages, and dependencies are regularly updated. Security patches are often released to address known vulnerabilities.

How to update your system

  • Update & Upgrade Package List:
				
					sudo apt update -y && sudo apt upgrade -y
				
			
				
					sudo yum update -y   # For RHEL/CentOS/Linux-based distributions
				
			
				
					sudo dnf update -y   # For RHEL 8+/CentOS 8+/Linux-based distributions
  • Upgrade SSH Server:
				
					sudo apt-get install --only-upgrade openssh-server

By keeping your system up to date, you ensure that any security vulnerabilities in SSH or other software are patched promptly.

Conclusion

Securing SSH connections on Linux servers is essential for maintaining a secure and robust environment. By following these best practices—such as using SSH keys, disabling root login, enabling 2FA, and limiting access by IP—you can significantly enhance the security of your SSH connections. Combining these practices with regular updates and monitoring tools like Fail2Ban will provide a multi-layered defense against malicious actors.

Always remember, server security is an ongoing process, so keep educating yourself and stay proactive in defending your infrastructure.

Did you find this article useful? Your feedback is invaluable to us! Please feel free to share this post!

Related Posts
Tags
Ansible (24) Apache (8) Artificial Intelligence (8) Automation (33) Big Data (4) Blockchain (4) CentOS (157) Cloud Computing (3) Containers (11) Database (7) Debian (40) DevOps (6) Docker (11) Fedora (9) Git (3) HOWTO (233) Information Technology (4) Install (113) Jenkins (6) Kali Linux (4) Kubernetes (20) KVM (6) LAMP (5) Linux (262) Linux commands (154) mariaDB (3) Minikube (6) mysql (9) nmcli (4) Podman (13) Postgres (3) Postgresql (4) Python (8) RHCSA Exam (10) RHEL (176) Scripting (4) SSH (4) Technology (11) Text Editor (10) Ubuntu (62) Upgrade (4) vim (3) VirtualBox (3) Virtualization (4) Zabbix (6)

Leave a Reply

Your email address will not be published. Required fields are marked *