This guide explains how to secure SSH (Secure Shell) connections to protect your server from unauthorized access. Learn how to implement key-based authentication, disable root logins, and configure firewalls to enhance the security of your SSH connections and keep your server safe.
25 min
Edited:15-09-2024
SSH (Secure Shell) is the most common protocol for securely accessing remote servers. While SSH provides encrypted communication, it’s important to take extra steps to further secure the connection and protect your system from unauthorized access. This article covers key methods to secure SSH, including key-based authentication, restricting root login, and configuring firewalls.
If you do not know how the SSH works, you can check this guide:
SSH keys provide a more secure authentication method than passwords. By disabling password authentication and using key-based authentication, you can significantly reduce the chances of unauthorized access.
On your local machine, generate an SSH key pair by running the following command on CMD or terminal:
1. ssh-keygen -t rsa -b 4096
After that you will be asked to choose where to save the files generated and enter the passphrase for the key, you can proceed with hitting enter for the default file location, and choose a strong passphrase
This will create a public/private key pair. By default, the keys are saved in ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key).
Copy the Public Key to the Server: Use the ssh-copy-id command to copy your public key to the remote server:
1. ssh-copy-id user@remote_server
This adds the public key to the ~/.ssh/authorized_keys file on the server, allowing you to log in without a password.
(optional) you can Disable Password Authentication with the editing the file /etc/ssh/sshd_config and doing the following change:
1. PasswordAuthentication no
Changing the default SSH port from 22 to another number can reduce the risk of automated attacks and port scanning.
Open the SSH configuration file:
1. sudo nano /etc/ssh/sshd_config
Find the Port directive and change the number:
1. Port 2222
Restart the SSH service:
1. sudo systemctl restart sshd
After changing the port, make sure to specify the new port when connecting like this:
1. ssh -p 2222 user@remote_server
It is always good to change the default ports for the services on your server
Use a firewall to restrict SSH access to specific IP addresses, blocking unauthorized connections. If UFW is not installed, you can install it using the command:
1. sudo apt install ufw
Allow SSH connections through the firewall:
1. sudo ufw allow 2222/tcp
If you want to limit SSH access to a specific IP address:
1. sudo ufw allow from [your_ip] to any port 2222
Enable the firewall:
1. sudo ufw enable
Fail2Ban is a security tool that scans log files and bans IP addresses that show signs of malicious activity, such as too many failed login attempts.
A brute force attack on a server is a hacking method where attackers attempt to gain unauthorized access by systematically trying all possible combinations of passwords or keys until the correct one is found. This method is time-consuming but can be effective if strong security measures aren't in place.
Install Fail2Ban:
1. sudo apt install fail2ban
Configure Fail2Ban for SSH with the local configuration file:
1. sudo nano /etc/fail2ban/jail.local
Add the following configuration:
1. [sshd]
2. enabled = true
3. port = 2222
4. filter = sshd
5. logpath = /var/log/auth.log
6. maxretry = 3
save the file and exit and then restart Fail2Ban:
1. sudo systemctl restart fail2ban
Adding two-factor authentication (2FA) to SSH provides an additional layer of security by requiring a one-time code along with your SSH key. Install Google Authenticator:
1. sudo apt install libpam-google-authenticator
Run the Google Authenticator setup:
1. google-authenticator
Follow the prompts to configure 2FA for your SSH account.
Edit the SSH PAM Configuration, Open the PAM configuration file:
1. sudo nano /etc/pam.d/sshd
Add the following line:
1. auth required pam_google_authenticator.so
Edit the SSH configuration file to require both SSH keys and 2FA:
1. sudo nano /etc/ssh/sshd_config
Set:
1. ChallengeResponseAuthentication yes
Restart the SSH service:
1. sudo systemctl restart sshd
Securing SSH connections is crucial for protecting your server from unauthorized access and brute-force attacks. By implementing key-based authentication, changing the default port, disabling root logins, configuring firewalls, using Fail2Ban, and enabling two-factor authentication, you can significantly enhance the security of your SSH setup. Taking these proactive steps will help safeguard your system from potential threats and ensure safe remote access.
14-10-2024
This article offers a detailed guide on installing and configuring IPTables on an Ubuntu VPS. IPTables is a powerful firewall tool that helps secure your server by controlling inbound and outbound traffic. Learn how to set up rules for traffic filtering, configure basic security policies, and apply custom rules to protect your VPS.
IPtables
security
12 min
This article offers a comprehensive guide on installing and configuring ModSecurity, a powerful web application firewall (WAF), on an Ubuntu VPS. Learn how to secure your server by filtering and monitoring HTTP requests, set up ModSecurity with Nginx or Apache, and apply rules to protect against common web attacks.
Modsecurity
security
10 min
14-10-2024
This article provides a comprehensive guide on installing and configuring PHP-FPM (FastCGI Process Manager) on an Ubuntu VPS. Learn how to optimize PHP performance for your web applications by configuring PHP-FPM with Nginx or Apache, managing pools, and fine-tuning settings for efficient processing of PHP scripts.
PHP-FPM
speed
optimise
12 min