In today’s digital landscape, securing your servers is more important than ever. One of the most common methods for remote administration of Linux servers is SSH (Secure Shell). While SSH provides a robust and encrypted way for remote logins, it is not immune to attacks. In this article, we will explore best practices for hardening SSH to enhance the security of your Linux servers.
1. Change the Default SSH Port
By default, SSH operates on port 22. Changing this port can reduce the likelihood of automated attacks and can be one of the first lines of defense. Here’s how to do it:
-
Open the SSH configuration file:
bash
sudo nano /etc/ssh/sshd_config -
Look for the line that specifies
#Port 22and change it to:
plaintext
Port 2222 # Choose a port number between 1024 and 65535 - Save the changes and restart the SSH service:
bash
sudo systemctl restart sshd
2. Disable Root Login
Allowing direct root login via SSH can be a significant security risk. Instead, create a user with sudo privileges.
-
Again, open the SSH configuration file:
bash
sudo nano /etc/ssh/sshd_config -
Find the line:
plaintext
PermitRootLogin yesChange it to:
plaintext
PermitRootLogin no - Save and exit, then restart the SSH service.
3. Use Key-Based Authentication
Password-based authentication can be susceptible to brute-force attacks. Using SSH key pairs adds an additional layer of security.
-
Generate a key pair on your local machine:
bash
ssh-keygen -t rsa -b 4096 -
Copy the public key to your server:
bash
ssh-copy-id username@your_server_ip -
Once confirmed, disable password authentication in the SSH configuration:
plaintext
PasswordAuthentication no - Restart SSH.
4. Enable Two-Factor Authentication (2FA)
Adding a second layer of authentication can bolster your server’s security. Tools like Google Authenticator can be integrated easily.
-
Install the required package:
bash
sudo apt install libpam-google-authenticator -
Run Google Authenticator on your server:
bash
google-authenticator - Follow the prompts to set it up.
-
Modify the PAM configuration:
bash
sudo nano /etc/pam.d/sshdAdd:
plaintext
auth required pam_google_authenticator.so - Save and restart SSH.
5. Implement Fail2ban
Fail2ban is an intrusion prevention software framework that protects from brute-force attacks.
-
Install Fail2ban:
bash
sudo apt install fail2ban -
Configure it by creating a local configuration file:
bash
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local -
Edit the configuration file and enable the SSH jail:
bash
sudo nano /etc/fail2ban/jail.localFind the
[sshd]section and make sure it looks like this:
plaintext
[sshd]
enabled = true - Restart Fail2ban:
bash
sudo systemctl restart fail2ban
6. Regularly Update Your System
Ensuring your system is always running the latest software is crucial for security. Regularly apply updates by running:
bash
sudo apt update && sudo apt upgrade -y
7. Monitor SSH Logins
Regular monitoring of your SSH login attempts can offer valuable insight into any unauthorized access. Use tools like fail2ban, or scrutinize the logs stored in /var/log/auth.log.
Conclusion
By implementing these best practices, you can significantly bolster the security of your Linux servers against unauthorized access. Each layer added, from changing the default port to employing two-factor authentication, hardens your server and creates a resilient defense against potential threats. Remember, security is not a one-time endeavor; it requires continuous monitoring and improvement.
Staying informed about the latest security trends and threats is essential for any IT professional. With a well-secured SSH configuration, you can rest assured that your Linux servers are better protected against malign actors.
For more tech insights and advanced security practices, stay tuned to the WafaTech Blog!
