secure your ssh access linux

Summary: In this post i tried to explain in a very few simple steps to do, you will be able to reduce the risks of unauthorized ssh accesses to your server.It is highly recommended to secure your ssh access of the server and take the necessary steps.Your ssh settings can be found in /etc/ssh/sshd_config, this is where you will have to modify the configuration settings below.

sudo vim /etc/ssh/sshd_config

Step-1: Change your ssh port

By default, ssh run on port 22. You have to change the the default to port to some random port and do document that with yourself.Its better to remove the default rather then commenting the default port.

#This will require ssh connexions to use the 60125 port
Port 60125

By changing this setting, you can make a hacker drop an attack by making him think your ssh is disable or at least force him to scan your ports in order to find ssh access.

Step-2: Disable root login

One More security layer to ssh is to disable the root login.If the hacker still gets to connect to your ssh port, he will need authentication.He will try root account at first attempt if he receive message password incorrect he will get the idea he can take full access if he break the password. If he get message permission denied his effort will increases exponentially and he will have to find which user he used to get access to the server. Do you want to disable direct root ssh access. If YES, then follows the below steps.

# Authentication:

#LoginGraceTime 2m
#Find this line in your /etc/ssh/sshd_config and change its value to “no”

PermitRootLogin no

Once it’s done, you will need another account to connect, so add a new password protected user

sudo adduser imran
sudo passwd imran
Changing password for user imran.
New password: “enter imran password here”

To streangthen more a bet, you want imran to be the only user allowed to connect via ssh, so add the AllowUsers setting :

#Multiple users can be specified, separated by spaces.
AllowUsers imran

Step-3: Apply new settings

Now restart your ssh service so the system will take changes into account. Before restarting ssh, double check and make sure you didn’t make any modifications which could prevent you to reconnect ssh after you logout.

sudo /etc/rc.d/init.d/sshd restart

Now all changes done in the files. You have to update the IPTABLES according to your changes to prevent your self from ssh blocking.

#SSH replace 22 with your custom port number, for instance 6125)
iptables -t filter -A INPUT -p tcp –dport 6125 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 6125 -j ACCEPT

Check your new settings, first you will try to connect to the new ssh port you configured, using the -p argument

ssh -p 60125 bob@server_address

Step-4: Test against unauthorized access

If you have successfully harden ssh, you won’t be able to connect as root (or any other user than bob for that matter) :

ssh -p 60125 root@server_address
root@server_address’s password:
Permission denied, please try again.

Likewise, any connexion on a port other than the one defined in /etc/ssh/sshd_config will be timed out

#Connect ssh on default port
ssh imran@server_address
ssh: connect to host port 22: Connection timed out

Further you can secure your ssh server through Keys authentications.

Hope this is informative for you.

Leave a Reply

Your email address will not be published. Required fields are marked *