SSH is awesome, as it allows us to gain terminal access to other Linux PCs and servers over the network, or even the internet! Still, for as amazing as this technology is, there are some glaring security issues that make using it unsafe. If you’re an average user, there’s no real need to install complicated SSH security tools. Instead, consider following these basic steps to secure an SSH server on Linux.
Change Default Connection Port
By far the quickest and easiest way to secure an SSH server is to change the port it uses. By default, SSH server runs on port 22. To change it, open up a terminal window. Inside the terminal window, SSH to the remote PC hosting SSH server.
Once logged in, drop from a regular user to Root. If you’ve got the Root account on, logging in with su is a good choice. Else, you’ll need to gain access with sudo.
Now that you’ve got admin access, open up the SSH configuration file in Nano.
Scroll through the configuration file for “Port 22”. Remove the # if there is one, then change “22″ to another number. Typically, a port above 100, or even one in the 1,000 range will suffice. After changing the port number, press the Ctrl + O keyboard combination to save the edits. Then, exit the editor by pressing Ctrl + X.
Editing the configuration file isn’t going to immediately switch your SSH server over to using the correct port. Instead, you’ll need to manually restart the service.
systemctl restart sshd
Running the systemctl command should reboot the SSH daemon and apply the new settings. If restarting the daemon fails, another option is to reboot your SSH server machine:
After restarting the daemon (or machine), SSH will not be accessible via port 22. As a result, connecting over SSH requires manually specifying the port.
Note: be sure to change “1234” with the port set in the SSH configuration file.
ssh -p 1234 user@local-ip-address
Disable Password Login
Another great way to secure an SSH server is to remove password login and instead transition to logging in via SSH keys. Going the SSH key route creates a circle of trust between your SSH server and remote machines that have your key. It’s an encrypted password file that’s hard to crack.
Set up with an SSH key on your server. When you’ve got the keys set up, open up a terminal and open up the SSH configuration file.
Then, open the config in Nano with:
By default, SSH servers handle authentication via the user’s password. If you’ve got a secure password, this is a good way to go, but an encrypted SSH key on trusted machines is faster, more convenient, and secure. To finish the transition to “passwordless login”, look in the SSH configuration file. Inside this file, scroll through and find the entry that says “PasswordAuthentication”.
Remove the # symbol from in front of “PasswordAuthentication”, and ensure it has the word “no” in front of it. If everything looks good, save the edits to the SSH configuration by pressing Ctrl + O on the keyboard.
After saving the configuration, close Nano with Ctrl + X, and restart SSHD to apply the changes.
systemctl restart sshd
If you don’t use systemd, try restarting SSH with this command instead:
service ssh restart
Next time a remote machine tries to log into this SSH server, it will check for the correct keys and let them in, without a password.
Disable Root Account
Disabling the Root account on your SSH server is a way to mitigate the damage that may occur when an unauthorized user gains access over SSH. To disable the Root account, it is imperative that at least one user on your SSH server can gain Root via sudo. This will ensure that you can still gain system-level access if you need it, without the Root password.
Note: be sure that the users who can access Root privileges via sudo have a secure password, or disabling the superuser account is pointless.
To disable Root, elevate the terminal to superuser privileges:
Using sudo -s bypasses the need to log in with su, and instead grants a root shell via the sudoers file. Now that the shell has superuser access, run the password command and scramble the Root account with –lock.
passwd --lock root
Running the above command scrambles the Root account’s password so that logging in via su is impossible. From now on, users can only SSH in as a local user, then switch to a Root account via sudo privileges.