If you run a server and have a popular website (or bad friends) you will probably want to make your SSH connection more secure. If you have any logιn failure alerts or brute force detection methods you may notice your server gets attacked several times a day. This server, when using the default SSH port, gets about 10 brute-force attempts per day.
This tutorial will show you some of the ways you can make SSH more security.
Change the Default Port
The default port for SSH is 22. This is the first port an attacker will try when attempting to break in and is very easy to fix by simply changing it. To fix follow these steps:
- Think of a number between 0 to 65535. This is the range that your port number can have. I suggest not using anything below 1024. The range between 0-1023 is a range of ports known as “Well Known Ports”. Many applications use these ports and it may cause conflict problems if you choose one of these. For a list of Well known ports and what uses those ports click here.
- Using your favorite editor (nano, pico, vi, vim, etc) open /etc/ssh/sshd_config
# vi /etc/ssh/sshd_config
- Find the line that looks like this:
It may be commented out already:
If the line is commented out, uncomment it and change 22 to the port number you decided on from above. The line should look like this:
Changing the port number is called security through obscurity. This doesn’t really add much security to your SSH Server as any attacker probably has a port-scanner ready.
If you run a firewall make sure you open the new port.
Lets continue, keep the sshd_config file open and follow the next steps.
SSH has two protocol, 1 and 2. Protocol 1 is less secure so you should not use it.
- Search for Protocol. It should look similar to this:
or it may be commented out:
- Uncomment if needed and remove 1, leaving only 2 following Protocol:
Now only protocol version 2 can be used with your SSH connection.
You should never allow root to login remotely. Most attacks will try to gain root access so disabling root login will prevent them from getting very far if they somehow gain the root password. You’ll need to disable this in your sshd_config file as well:
- Search for PermitRootLogin, it should look similar to this:
- Uncomment if needed and make sure that “no” is following PermitRootLogin.
This will prevent anyone from logging in via SSH as root.
Making it harder
Since most attacks will come from a brute force script kiddie you will want to limit the number of attempts they can enter a password. If you don’t limit this number or if you keep the number fairly high the skiddies will try again and again and again. Changing the port above will also thwart a lot of these attacks but if an attacker discovers your new port this setting should be low. To limit the number of attempts:
- Search for MaxAuthTries. It should look like this:
- Uncomment it if neccessary and change the number from the default (6) to something lower. I like 3 but you may want to set it as low as 2 or even 1.
This will not prevent brute force attacks but it will slow them down. You’ve effectively taken their attempts from 6 down to 3 (or whatever you entered) per try.
Key Logins Only – Important!
If you only allow SSH key-based logins brute force attacks will be useless (as the main purpose of a brute force attempt is to discover your password and login). You will need to generate a public/private key combination in order for this to work. Here is how to enable keys and disable password authentication:
- Find PubkeyAuthentication. It should look like this:
- Remove the comment and make sure it has yes following it (as opposed to no):
- Find PasswordAuthentication. It should look like:
- Uncomment and make sure no is following it:
This will only allow users to login that have a public/private key combination in use with your server. This is one of the most secure options you can enable/disable do to prevent brute force attacks.
Here are some other tips that may help make SSH and your server more secure:
- Make sure you have a login failure detection script running. You can use fail2ban, APF/BFD, CSF/LFD, or something similar to block brute force attackers.
- Only allow the users that need SSH to have SSH. Change their login script to /sbin/nologin or maintain a list of allowed users in the sshd_config using the AllowUsers option.
- Only listen to your selected SSH port on one IP (if you have multiple IPs).