• Kloudnative
  • Posts
  • 9 Essential SSH Server Security Practices You Need to Know

9 Essential SSH Server Security Practices You Need to Know

Safeguarding Your Remote Access with Proven Strategies for Enhanced Security

Author

Vivek Sonar
October 07, 2024

In partnership with

In today's digital landscape, where remote server management is commonplace, ensuring the security of your SSH (Secure Shell) server is paramount. SSH is a critical protocol used for securely managing remote servers, providing an encrypted channel over unsecured networks. However, if not properly configured, SSH can become a vulnerable entry point for attackers. This article delves into ten essential SSH server security practices that will help you protect your systems from unauthorized access and potential threats.

Understanding SSH and Its Importance

SSH is the backbone of remote server management, allowing system administrators to execute commands and manage systems securely. Its encryption ensures the confidentiality and integrity of data exchanged between clients and servers. However, like any service exposed to the internet, SSH is a target for cyberattacks, including brute-force attacks aimed at gaining unauthorized access. By implementing best practices, you can significantly bolster the security of your SSH server.

1. Disable Root Login

Allowing root login over SSH poses a significant security risk, as it provides direct access to the most powerful user on the system. Disabling root login forces users to authenticate with a less privileged account before switching to root, adding an essential layer of security.

How to Disable Root Login:

  • Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

  • Change the line containing PermitRootLogin to: 

PermitRootLogin no

  • Save changes and restart the SSH service:

sudo systemctl restart sshd

Writer RAG tool: build production-ready RAG apps in minutes

  • Writer RAG Tool: build production-ready RAG apps in minutes with simple API calls.

  • Knowledge Graph integration for intelligent data retrieval and AI-powered interactions.

  • Streamlined full-stack platform eliminates complex setups for scalable, accurate AI workflows.

2. Use SSH Key-Based Authentication

SSH key-based authentication is far more secure than password-based authentication because it employs a pair of cryptographic keys instead of a password. This method significantly reduces the risk of brute-force attacks.

How to Set Up Key-Based Authentication:

  • Generate an SSH key pair on your client machine:

ssh-keygen -t rsa -b 4096

  • Copy the public key to the remote server:

ssh-copy-id user@your_server_ip

  • Disable password authentication by editing the SSH configuration file:

sudo nano /etc/ssh/sshd_config

  • Set PasswordAuthentication to:

PasswordAuthentication no

  • Restart the SSH service:

sudo systemctl restart sshd

3. Change the Default SSH Port

The default port for SSH (22) is frequently targeted by attackers. Changing it to a non-standard port can help reduce automated attacks.

How to Change the SSH Port:

  • Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

  • Locate the Port directive and change its value: 

Port 2222

  • Update your firewall rules to allow connections on the new port: 

sudo ufw allow 2222/tcp

  • Restart the SSH service: 

sudo systemctl restart sshd

4. Implement Two-Factor Authentication (2FA)

Adding two-factor authentication (2FA) provides an additional layer of security by requiring not just a password or key but also a verification code from a second device.

How to Enable 2FA for SSH:

  • Install the Google Authenticator PAM module:

sudo apt-get install libpam-google-authenticator

  • Run Google Authenticator setup on your server: 

google-authenticator

  • Edit the SSH configuration file to enable challenge-response authentication: 

sudo nano /etc/ssh/sshd_config

Add or modify this line: 

ChallengeResponseAuthentication yes

  • Update PAM configuration: 

sudo nano /etc/pam.d/sshd

Add this line: 

auth required pam_google_authenticator.so

  • Restart the SSH service: 

sudo systemctl restart sshd

5. Restrict SSH Access by IP Address

Limiting SSH access to specific IP addresses reduces your attack surface by allowing only trusted IPs to connect.

How to Restrict Access:

  • Edit /etc/hosts.allow to specify allowed IP addresses: 

sshd: YOUR_TRUSTED_IP_ADDRESS_HERE

  • Deny all other IPs in /etc/hosts.deny : 

sshd: ALL

  • Alternatively, configure your firewall: 

sudo ufw allow from YOUR_TRUSTED_IP_ADDRESS_HERE to any port YOUR_SSH_PORT_HERE

6. Disable SSH Protocol Version 1

SSH Protocol Version 1 is outdated and contains known vulnerabilities. Ensuring your server uses only Protocol Version 2 is crucial for maintaining security.

How to Disable Protocol Version 1:

  • Open the SSH configuration file: 

sudo nano /etc/ssh/sshd_config

  • Ensure this line is present or add it if necessary: 

Protocol 2

  • Restart the SSH service: 

sudo systemctl restart sshd

7. Enable Logging and Monitoring

Monitoring your SSH access logs is vital for detecting suspicious activity.

How to Enable Logging:

  • Ensure logging is enabled in /etc/ssh/sshd_config by checking or adding this line: 

LogLevel INFO

  • Monitor logs in real-time using tail command: 

tail -f /var/log/auth.log

8. Limit User SSH Access

Restricting SSH access only to necessary users minimizes unauthorized access risks.

How to Limit User Access:

  • Edit the SSH configuration file: 

sudo nano /etc/ssh/sshd_config

  • Add AllowUsers directive specifying which users can access via SSH: 

AllowUsers user1 user2

  • Restart the service for changes to take effect. 

sudo systemctl restart sshd

9. Enforce a Strong Password Policy

Even with key-based authentication, enforcing strong passwords for accounts that do use passwords is crucial.

How to Enforce Strong Passwords:

  • Edit /etc/security/pwquality.conf for complexity requirements. 

minlen=12 
dcredit=-1 
ucredit=-1 
ocredit=-1 
lcredit=-1

Conclusion

Securing your SSH server is an ongoing process that requires regular attention and updates. By following these ten best practices, you can significantly reduce unauthorized access risks and protect your systems from potential threats. Regularly review your security settings and stay informed about updates in cybersecurity practices to maintain a secure environment.