SSH Hardening for Linux Systems

Securing your SSH access is a crucial step in protecting your Linux server from unauthorized access and potential attacks. SSH (Secure Shell) is a common method for remote administration, and its default configuration can be a target for attackers. This guide will walk you through several best practices to harden your SSH setup.

1. Create an Alternative User

Before disabling root login, ensure you have another user with sudo privileges to avoid locking yourself out of the server.

Create a new user:

sudo adduser your_new_user

Add the user to the sudo group:

sudo usermod -aG sudo your_new_user

Test the new user by switching to it:

su - your_new_user

Check sudo privileges:

sudo whoami

If the command returns “root”, the new user has sudo privileges.

2. Disable Root Login

The root user has unlimited access to your system, making it a prime target for attackers. Disable root login to add an extra layer of security.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find the line:

PermitRootLogin yes

Change it to:

PermitRootLogin no

Restart the SSH service:

sudo systemctl restart sshd

3. Use Strong Passwords and Key-Based Authentication

Weak passwords are a common vulnerability. Enforce the use of strong passwords and switch to key-based authentication for better security.

Generate a key pair on your local machine:

ssh-keygen -t rsa -b 4096

Copy the public key to the server:

ssh-copy-id username@server_ip

Disable password authentication by editing the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find the lines:

#PasswordAuthentication yes
#ChallengeResponseAuthentication yes

Uncomment and change them to:

PasswordAuthentication no
ChallengeResponseAuthentication no

Restart the SSH service:

sudo systemctl restart sshd

4. Change the Default SSH Port

Changing the default SSH port (22) can reduce the risk of automated attacks.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find the line:

#Port 22

Uncomment and change it to a port number between 1024 and 65535:

Port 2222

Restart the SSH service:

sudo systemctl restart sshd

Update your firewall rules to allow traffic on the new port:

sudo ufw allow 2222/tcp

5. Use Fail2Ban to Prevent Brute Force Attacks

Fail2Ban monitors log files and bans IPs that show malicious signs.

Install Fail2Ban:

sudo apt-get install fail2ban

Create a local configuration file:

sudo nano /etc/fail2ban/jail.local

Add the following configuration:

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 5

Restart Fail2Ban:

sudo systemctl restart fail2ban

6. Limit User Access

Only allow specific users to connect via SSH.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Add the following line:

AllowUsers your_user another_user

Restart the SSH service:

sudo systemctl restart sshd

7. Enable Two-Factor Authentication (2FA)

Adding a second layer of security can significantly reduce the risk of unauthorized access.

Install Google Authenticator:

sudo apt-get install libpam-google-authenticator

Configure SSH to use PAM:

sudo nano /etc/pam.d/sshd

Add the following line at the end:

auth required pam_google_authenticator.so

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find and change the following line:

ChallengeResponseAuthentication no

To:

ChallengeResponseAuthentication yes

Restart the SSH service:

sudo systemctl restart sshd

Run Google Authenticator for your user:

google-authenticator

Follow the prompts to complete the setup.

Conclusion

By implementing these SSH hardening techniques, you can significantly enhance the security of your Linux server. Regularly review and update your security practices to keep up with new threats and vulnerabilities.