How to Lock Down your SSH Server



RECOMMENDED: Click here to fix Windows errors and optimize system performance

Learn how to secure your systems and prevent unauthorized access through the social sciences and humanities by following these simple suggestions.

SSH or Secure SHell replaced Telnet as the remote access protocol of choice somewhere in the 1990s, and for good reason. SSH allows administrators – or users – to access a remote shell via a secure tunnel by connecting their SSH client to an SSH server. SSH can also handle file transfers, which should replace FTP, although there are a surprising number of situations that still rely on good old plain text FTP.

For the reasons mentioned above, modern Linux systems are managed via SSH. Most experienced system administrators like the direct access and power they get when they can connect to the shell of their system in a relatively simple and secure way. In this article, I will focus on the sshd daemon of the OpenSSH server. We will discuss some of the security issues you may encounter and how to mitigate or solve them directly.

Locking Down SSH

We’re going to go over two things here. First, we’re going to disable the use of passwords to log into the system. Second, we’re going to disable the numbers that are acceptable to use.

Disabling Password Authentication

Switch to system B, either physically or via ssh (since we can do it now because we’re cool so easily). We will modify the following file:

/etc/ssh/sshd_config

First, secure it in case you crash and have to go back. It is much easier to copy a file than to try to figure out what it was like when it was working. When you have done this and not before, open this file in your favorite text editor (bonus points if it is Vim). Find the line that starts with :

PasswordAuthentication

If she says “yes” to the far right, change it to “no”. Save, stop and restart the ssh service:

systemctl restart sshd

or

service sshd restart

Why disable passwords? Passwords are as vulnerable to brute force attacks as our public/private keys are. Disabling the ability to use passwords mitigates this avenue of attack. If we set up our public/private keys and disable password authentication, we should be fairly well off.



August 2020 Update:

We now recommend using this tool for your error. Additionally, this tool fixes common computer errors, protects you against file loss, malware, hardware failures and optimizes your PC for maximum performance. You can fix your PC problems quickly and prevent others from happening with this software:

  • Step 1 : Download PC Repair & Optimizer Tool (Windows 10, 8, 7, XP, Vista – Microsoft Gold Certified).
  • Step 2 : Click “Start Scan” to find Windows registry issues that could be causing PC problems.
  • Step 3 : Click “Repair All” to fix all issues.

download



Restricting access to port 22

Start by checking that the default SSH port (port 22) is open to the world. You can do this by running Nmap, which will check your network as you specify:

Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-22 20:56 EDT
Nmap scan report for 167.71.200.117
Host is up (0.26s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh

Restricting access to Port 22 is the most basic action you can take to secure your system. I realize that this tactic may not work in all scenarios. Maybe you run a public system, or maybe the CIO travels a lot and accesses systems from many different locations (we’ll talk about VPNs in a moment). My point is that you may have a good reason for making SSH accessible to the general public. But think carefully about how to avoid this configuration. I did it, but mostly out of laziness. There is usually a better solution.

Conclusion

Whether you are building a new server or a virtual machine, it is a good idea to implement several layers of security in your environment. Organizations typically strive to get their infrastructure up and running as quickly as possible, but the necessary security measures must be implemented from the start.

By using the Linux SSH security methods listed above, you should be able to avoid common security threats in the cloud.

Make it difficult for hackers to penetrate your server(s) and limit possible damage. Be sure to implement as many of these best practices as possible before making your server available on the network.

https://www.redhat.com/sysadmin/locking-down-sshd



RECOMMENDED: Click here to troubleshoot Windows errors and optimize system performance