8 Ways to Secure SSH Server Connections in Linux
SSH is a widely used protocol for securely accessing Linux servers. Most users use SSH connections with the default settings to connect to a remote server. However, insecure default configurations also pose various security risks.
The root account of a server with open SSH access can be at risk. And especially if you use a public IP address, it is much easier to hack the root password. Therefore, it is necessary to have knowledge about SSH security.
Here’s how you can secure your SSH server connections on Linux.
1. Disable root user logins
To do this, start by disabling the root user’s SSH access and create a new user with root privileges. Disabling access to the server for the root user is a defensive strategy that prevents attackers from achieving their goal of breaking into the system. For example, you can create a user named exampleroot as following:
useradd -m exampleroot
usermod -aG sudo exampleroot
Here is a brief explanation of the aforementioned commands:
- add user create a new user and -m parameter creates a folder under the residence directory of the user you created.
- The password The command is used to assign a password to the new user. Remember that the passwords you assign to users should be complex and difficult to guess.
- mod user -aG sudo adds the newly created user to the admin group.
After the user creation process, it is necessary to make some changes to the sshd_config case. You can find this file at /etc/ssh/sshd_config. Open the file with any text editor and make the following changes:
PermitRootLogin will prevent the root user from accessing remotely using SSH. Including exampleroot in the Authorize users list grants the necessary permissions to the user.
Finally, restart the SSH service using the following command:
sudo systemctl restart ssh
If that fails and you get an error message, try the command below. This may differ depending on the Linux distribution you are using.
sudo systemctl restart sshd
2. Changing the default port
The default SSH connection port is 22. Of course, all attackers know this and therefore it is necessary to change the default port number to ensure SSH security. Although an attacker can easily find the new port number with an Nmap scan, the goal here is to make the attacker’s job more difficult.
To change the port number, open /etc/ssh/sshd_config and make the following changes to the file:
After this step, restart the SSH service again with sudo systemctl restart ssh. You can now access your server using the port you just defined. If you are using a firewall, you must also make the necessary rule changes there. By running the netstat-tlpn command, you can see that your port number for SSH has changed.
3. Block access to users with empty passwords
You may have accidentally created users without passwords on your system. To prevent these users from accessing the servers, you can set the Allow empty passwords row value in the sshd_config file to Nope.
4. Limit Login/Access Attempts
By default, you can access the server with as many password attempts as you want. However, attackers can use this vulnerability to brute force the server. You can automatically terminate the SSH connection after a certain number of attempts by specifying the number of allowed password attempts.
To do this, change the MaxAuthTries value in the sshd_config case.
5. Using SSH version 2
The second version of SSH was released due to the many vulnerabilities in the first version. By default, you can allow the server to use the second version by adding the Protocol setting to your sshd_config case. So all your future connections will use the second version of SSH.
6. Disable TCP Port Forwarding and X11 Forwarding
Attackers can try to access your other systems by forwarding ports over SSH connections. To avoid this, you can disable the AllowTcpTransfer and X11Transfer features in the sshd_config case.
7. Login with an SSH key
One of the most secure ways to connect to your server is to use an SSH key. When using an SSH key, you can access the server without a password. Additionally, you can completely disable password access to the server by changing the password-related settings in the sshd_config case.
When you create an SSH key, there are two keys: Audience and Private. The public key is uploaded to the server you want to connect to, and the private key is stored on the computer using which you will establish the connection.
Create an SSH key with the ssh-keygen command on your computer. Don’t let the Password empty field and remember the password you entered here. If you leave it blank, you will only be able to access it with the SSH key file. However, if you set a password, you can prevent an attacker with the key file from accessing it. For example, you can create an SSH key with the following command:
8. IP restrictions for SSH connections
Most of the time, the firewall blocks access using frameworks of its own standards and aims to protect the server. However, this is not always enough and you have to increase this security potential.
To do this, open the /etc/hosts.allow case. With the additions you make to this file, you can restrict SSH authorization, allow specific IP blocking, or enter a single IP address and block all remaining IP addresses with the deny command.
Below are some sample settings. After that, restart the SSH service as usual to save the changes.
The Importance of Linux Server Security
Data and data security issues are quite detailed and should be considered by all server administrators. Server security is a very sensitive issue, as attacks mainly focus on web servers, and they contain almost all the information on a system. Since most servers run on Linux infrastructure, it is very important to be familiar with Linux system and server administration.
SSH security is only one way to protect servers. It is possible to minimize the damage you take by stopping, blocking or slowing down an attack. Besides SSH security, there are many different methods you can implement to secure your Linux servers.