This tutorial will show you some of the ways you can make SSH more security.
Change the Default Port
The default port for SSH is 22. This is the first port an attacker will try when attempting to break in and is very easy to fix by simply changing it. To fix follow these steps:
- Think of a number between 0 to 65535. This is the range that your port number can have. I suggest not using anything below 1024. The range between 0-1023 is a range of ports known as "Well Known Ports". Many applications use these ports and it may cause conflict problems if you choose one of these. For a list of Well known ports and what uses those ports click here.
- Using your favorite editor (nano, pico, vi, vim, etc) open /etc/ssh/sshd_config
# vi /etc/ssh/sshd_config
- Find the line that looks like this:
Port 22It may be commented out already:
#Port 22If the line is commented out, uncomment it and change 22 to the port number you decided on from above. The line should look like this:
Note: If you run a firewall make sure you open the new port.
Lets continue, keep the sshd_config file open and follow the next steps.
SSH has two protocol, 1 and 2. Protocol 1 is less secure so you should not use it.
- Search for Protocol. It should look similar to this:
or it may be commented out:
- Uncomment if needed and remove 1, leaving only 2 following Protocol:
You should never allow root to login remotely. Most attacks will try to gain root access so disabling root login will prevent them from getting very far if they somehow gain the root password. You'll need to disable this in your sshd_config file as well:
- Search for PermitRootLogin, it should look similar to this:
- Uncomment if needed and make sure that "no" is following PermitRootLogin.
Making it harder
Since most attacks will come from a brute force script kiddie you will want to limit the number of attempts they can enter a password. If you don't limit this number or if you keep the number fairly high the skiddies will try again and again and again. Changing the port above will also thwart a lot of these attacks but if an attacker discovers your new port this setting should be low. To limit the number of attempts:
- Search for MaxAuthTries. It should look like this:
- Uncomment it if neccessary and change the number from the default (6) to something lower. I like 3 but you may want to set it as low as 2 or even 1.
Key Logins Only - Important!
If you only allow SSH key-based logins brute force attacks will be useless (as the main purpose of a brute force attempt is to discover your password and login). You will need to generate a public/private key combination in order for this to work. Here is how to enable keys and disable password authentication:
- Find PubkeyAuthentication. It should look like this:
- Remove the comment and make sure it has yes following it (as opposed to no):
- Find PasswordAuthentication. It should look like:
- Uncomment and make sure no is following it:
Here are some other tips that may help make SSH and your server more secure:
- Make sure you have a login failure detection script running. You can use fail2ban, APF/BFD (what is used here), CSF/LFD, or something similar to block brute force attackers.
- Only allow the users that need SSH to have SSH. Change their login script to /sbin/nologin or maintain a list of allowed users in the sshd_config using the AllowUsers option.
- Only listen to your selected SSH port on one IP (if you have multiple IPs).