SiteMill

Hardening SSH access on Linux servers: Best practices

Written by

sitemill_worker

in

Hardening SSH Access on Linux Servers: Best Practices

This guide provides Linux System Administrators with essential best practices for hardening SSH (Secure Shell) access on their servers. SSH is the primary tool for remote administration, making its security paramount. A compromised SSH service can lead to full system compromise. Implementing these measures significantly reduces the attack surface and enhances the overall security posture of your Linux servers, whether they are running Ubuntu/Debian or RHEL/AlmaLinux/Fedora.

1. Always Use Key-Based Authentication

Password authentication is susceptible to brute-force attacks. Key-based authentication uses a pair of cryptographic keys (public and private) for authentication, which is far more secure.

Generate SSH Key Pair (Client-Side):

On your local machine (client), generate an SSH key pair. 


ssh-keygen -t rsa -b 4096

Follow the prompts. It’s highly recommended to use a strong passphrase for your private key.

Copy Public Key to Server:

Use `ssh-copy-id` to securely transfer your public key to the server. 


ssh-copy-id username@your_server_ip

Alternatively, manually copy the key: 


ssh username@your_server_ip "mkdir -p ~/.ssh && chmod 700 ~/.ssh"
scp ~/.ssh/id_rsa.pub username@your_server_ip:~/.ssh/authorized_keys
ssh username@your_server_ip "chmod 600 ~/.ssh/authorized_keys"

Verify you can log in using your key before proceeding.

2. Disable Password Authentication

Once key-based authentication is working, disable password authentication to prevent brute-force attacks against user passwords.

Edit the SSH daemon configuration file: 


sudo nano /etc/ssh/sshd_config
# or
sudo vi /etc/ssh/sshd_config

Find and modify (or add) the following line: 


PasswordAuthentication no

Restart the SSH service: 


# For Debian/Ubuntu
sudo systemctl restart ssh

# For RHEL/AlmaLinux/Fedora
sudo systemctl restart sshd

3. Disable Root Login

Direct root login over SSH is a major security risk, as the ‘root’ user is a common target for attackers. Always log in as a regular user and use `sudo` for administrative tasks.

Edit the SSH daemon configuration file: 


sudo nano /etc/ssh/sshd_config

Find and modify (or add) the following line: 


PermitRootLogin no

Restart the SSH service: 


# For Debian/Ubuntu
sudo systemctl restart ssh

# For RHEL/AlmaLinux/Fedora
sudo systemctl restart sshd

4. Change the Default SSH Port

The default SSH port (22) is a well-known target for automated scans and attacks. Changing it to a non-standard port reduces noise from bots, although it doesn’t provide absolute security against targeted attacks.

Choose a port number between 1024 and 65535 that is not already in use.

Edit the SSH daemon configuration file: 


sudo nano /etc/ssh/sshd_config

Find and modify the `Port` line (uncomment if necessary): 


Port 2222 # Choose your desired port, e.g., 2222

Important: Before restarting SSH, ensure your firewall allows traffic on the new port.

Firewall Configuration (Before Restarting SSH):

For UFW (Debian/Ubuntu): 


sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp # Optional, after testing the new port
sudo ufw enable
sudo ufw status

For Firewalld (RHEL/AlmaLinux/Fedora): 


sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-ports # Verify

SELinux (RHEL/AlmaLinux/Fedora): If SELinux is enforcing, you’ll need to allow the new port. 


sudo semanage port -a -t ssh_port_t -p tcp 2222
sudo systemctl restart sshd # Restart after SELinux configuration

Now, restart the SSH service: 


# For Debian/Ubuntu
sudo systemctl restart ssh

# For RHEL/AlmaLinux/Fedora
sudo systemctl restart sshd

From now on, you’ll connect using: 


ssh -p 2222 username@your_server_ip

5. Limit User Access

Restrict SSH access to specific users or groups who absolutely need it. This minimizes the number of potential entry points.

Edit the SSH daemon configuration file: 


sudo nano /etc/ssh/sshd_config

Use `AllowUsers` for specific users: 


AllowUsers user1 user2 admin_group_member

Or `AllowGroups` for specific groups (recommended): 


AllowGroups sshusers

Ensure these users/groups exist and are properly configured. Restart SSH service after changes. 


# For Debian/Ubuntu
sudo systemctl restart ssh

# For RHEL/AlmaLinux/Fedora
sudo systemctl restart sshd

6. Implement IP Whitelisting (Firewall)

For servers with a static set of administrators, restrict SSH access to known IP addresses or networks using a firewall. This is a very effective layer of security.

For UFW (Debian/Ubuntu):

Replace `YOUR_STATIC_IP` with your actual static IP address. 


sudo ufw allow from YOUR_STATIC_IP to any port 2222 comment 'Allow SSH from office IP'
# Or from a subnet
sudo ufw allow from 192.168.1.0/24 to any port 2222 comment 'Allow SSH from corporate network'
sudo ufw enable
sudo ufw reload

For Firewalld (RHEL/AlmaLinux/Fedora):

Replace `YOUR_STATIC_IP` with your actual static IP address. 


sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="YOUR_STATIC_IP" port port="2222" protocol="tcp" accept'
# Or from a subnet
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="2222" protocol="tcp" accept'
sudo firewall-cmd --reload

7. Configure MaxAuthTries

Limit the number of authentication attempts per connection to mitigate brute-force attacks.

Edit the SSH daemon configuration file: 


sudo nano /etc/ssh/sshd_config

Set `MaxAuthTries` to a low number, e.g., 3: 


MaxAuthTries 3

Restart the SSH service. 


# For Debian/Ubuntu
sudo systemctl restart ssh

# For RHEL/AlmaLinux/Fedora
sudo systemctl restart sshd

8. Implement LoginGraceTime

This directive specifies the maximum time (in seconds) that the user has to authenticate after successfully connecting to the SSH server. Setting a lower value reduces the time an attacker has to guess credentials.

Edit the SSH daemon configuration file: 


sudo nano /etc/ssh/sshd_config

Set `LoginGraceTime` to a reasonable value, e.g., 60 seconds: 


LoginGraceTime 60

Restart the SSH service. 


# For Debian/Ubuntu
sudo systemctl restart ssh

# For RHEL/AlmaLinux/Fedora
sudo systemctl restart sshd

9. Disable X11 Forwarding

If you don’t use graphical applications over SSH, disable X11 forwarding to reduce attack surface.

Edit the SSH daemon configuration file: 


sudo nano /etc/ssh/sshd_config

Set `X11Forwarding` to `no`: 


X11Forwarding no

Restart the SSH service. 


# For Debian/Ubuntu
sudo systemctl restart ssh

# For RHEL/AlmaLinux/Fedora
sudo systemctl restart sshd

10. Use Fail2Ban

Fail2Ban is an intrusion prevention framework that scans log files (e.g., `/var/log/auth.log` or `/var/log/secure`) for specific patterns and bans IP addresses that show malicious signs, such as too many failed login attempts.

Installation:

For Debian/Ubuntu: 


sudo apt update
sudo apt install fail2ban

For RHEL/AlmaLinux/Fedora (using EPEL repository): 


sudo dnf install epel-release # For Fedora/RHEL8+
# For older RHEL/CentOS
# sudo yum install epel-release
sudo dnf install fail2ban # or yum install fail2ban

Configuration:

Fail2Ban uses configuration files in `/etc/fail2ban/`. It’s best practice to copy `jail.conf` to `jail.local` and make changes there, as `jail.local` won’t be overwritten during updates. 


sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Enable the `sshd` jail and customize settings (e.g., `bantime`, `findtime`, `maxretry`). Ensure `enabled = true` under the `[sshd]` section. 


[sshd]
enabled = true
port = ssh,YOUR_CUSTOM_SSH_PORT # If you changed the port (e.g., 2222)
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
bantime = 1h
findtime = 10m

Restart and enable Fail2Ban: 


sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo systemctl status fail2ban

You can check banned IPs using `fail2ban-client status sshd`. 


sudo fail2ban-client status sshd

11. Keep SSH Server Updated

Always keep your OpenSSH server package up-to-date to ensure you have the latest security patches and bug fixes. 


# For Debian/Ubuntu
sudo apt update
sudo apt upgrade openssh-server

# For RHEL/AlmaLinux/Fedora
sudo dnf update openssh-server # or sudo yum update openssh-server

Conclusion

Hardening SSH access is a critical component of server security. By implementing the best practices outlined in this guide, you can significantly reduce the risk of unauthorized access to your Linux servers.

Key takeaways for a robust SSH security posture include:

  • Always prefer key-based authentication over passwords.
  • Disable direct root login.
  • Change the default SSH port.
  • Restrict access to specific users or groups.
  • Leverage firewalls for IP whitelisting.
  • Utilize tools like Fail2Ban to deter brute-force attacks.
  • Keep your SSH server software updated.

Always test configurations thoroughly in a non-production environment first, and ensure you have alternative access (e.g., console access or a secondary SSH session) before making changes that could lock you out. Regular review and updates are also essential to maintain a strong security posture.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *