SSH Hardening
SSH Hardening in Linux: A Comprehensive Guide#
Secure Shell (SSH) is a vital tool for managing Linux systems remotely. However, its default configuration may expose your system to potential vulnerabilities. Hardening SSH is essential for minimizing risks and ensuring the security of your server. Here’s a comprehensive guide to making your SSH setup robust.
Why SSH Hardening Matters
SSH is often targeted by brute force attacks, credential stuffing, and exploits targeting outdated software. Hardening your SSH configuration adds multiple layers of protection against these threats, securing sensitive data and maintaining system integrity. Steps to Harden SSH on Linux
1. Update Your System and SSH#
Before implementing changes, ensure your Linux system and SSH server are up-to-date:
sudo apt update && sudo apt upgrade -y # For Debian/Ubuntu
sudo yum update -y # For CentOS/RHEL
Outdated software can have unpatched vulnerabilities.
2. Disable Root Login#
Prevent direct root access to reduce the risk of privilege escalation:
Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Set:
PermitRootLogin no
Restart SSH:
sudo systemctl restart sshd
3. Change the Default SSH Port#
Attackers often scan for SSH on port 22. Changing the default port makes automated attacks harder:
In /etc/ssh/sshd_config, modify:
Port 2222
(Replace 2222 with your chosen port number.) Update your firewall rules:
sudo ufw allow 2222/tcp # Example for UFW
Restart SSH:
sudo systemctl restart sshd
4. Use SSH Keys for Authentication#
SSH keys are more secure than passwords:
Generate an SSH key pair on your local machine:
ssh-keygen -t ed25519 -C "[email protected]"
Copy the public key to the server:
ssh-copy-id -i ~/.ssh/id_ed25519 user@server
Disable password authentication in /etc/ssh/sshd_config:
PasswordAuthentication no
Restart SSH:
sudo systemctl restart sshd
5. Enable Two-Factor Authentication (2FA)#
Add an extra layer of security using Google Authenticator or similar tools:
Install the PAM module for 2FA:
sudo apt install libpam-google-authenticator
Configure the user for 2FA:
Update /etc/ssh/sshd_config to include:
ChallengeResponseAuthentication yes
Modify PAM configuration:
sudo nano /etc/pam.d/sshd
Add:
auth required pam_google_authenticator.so
Restart SSH.
6. Limit User Access#
Restrict SSH access to specific users or groups:
In /etc/ssh/sshd_config, add:
AllowUsers user1 user2
Or:
AllowGroups sshusers
7. Enable Firewall Rules#
Use a firewall to limit SSH access:
Allow SSH traffic only from trusted IP addresses:
sudo ufw allow from <trusted_ip> to any port 2222
Enable the firewall:
sudo ufw enable
8. Configure Fail2Ban#
Install and configure Fail2Ban to block brute-force attempts:
Install Fail2Ban:
sudo apt install fail2ban
Create or modify jail configuration:
sudo nano /etc/fail2ban/jail.local
Add:
[sshd]
enabled = true
port = 2222
logpath = /var/log/auth.log
maxretry = 5
Restart Fail2Ban:
sudo systemctl restart fail2ban
9. Use Strong Encryption Algorithms#
Restrict SSH to use only strong encryption methods:
In /etc/ssh/sshd_config, update:
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms [email protected]
MACs hmac-sha2-512,hmac-sha2-256
Restart SSH.
10. Monitor SSH Logs#
Regularly review logs for suspicious activity:
sudo tail -f /var/log/auth.log # For Debian/Ubuntu
sudo tail -f /var/log/secure # For CentOS/RHEL
Conclusion
Hardening SSH enhances your server’s security and protects against unauthorized access. By implementing the steps above, you can create a robust, layered defense for your Linux environment. Regular audits and updates are crucial to maintaining this hardened state.
Secure your SSH today, and sleep easy knowing your Linux systems are safe!