OpenSSH is one of the most popular tools that uses SSH protocol for secure system administration, file transfers, and other communication across the Internet. It is free and used by system administrators to manage remote systems. OpenSSH runs on port 22 and it is the first target of a hacker. So you may need to harden your OpenSSH server to protect it from hackers.
In this tutorial, we will show you different ways to harden an OpenSSH server.
Prerequisites
- A server running Linux operating system.
- Access to the root user account (or access to an admin account with root privileges)
Log in to the Server & Update the Server OS Packages
First, log in to your Ubuntu 20.04 server via SSH as the root user:
ssh root@IP_Address -p Port_number
You will need to replace ‘IP_Address’ and ‘Port_number’ with your server’s respective IP address and SSH port number. Additionally, replace ‘root’ with the username of the admin account if necessary.
Before starting, you have to make sure that all Ubuntu OS packages installed on the server are up to date. You can do this by running the following commands:
apt-get update -y apt-get upgrade -y
1 – Change the Default SSH Port
By default, OpenSSH listens on port 22. So it is recommended to change the default port to avoid automated attacks on your server.
You can change the SSH default port by editing the file /etc/ssh/sshd_config:
nano /etc/ssh/sshd_config
Find the following line:
Port 22
And, replaced it with your desired port:
Port 8087
Save and close the file then restart the SSH service to apply the changes:
systemctl restart sshd
Now, verify the SSH connection using the following command:
ssh -p 8087 root@your-server-ip
2 – Disable SSH Root Login
By default, every Linux system has a root account so it is the main target of hackers. So it is a good idea to disallow root user to login via SSH.
First, create a user and add it to sudo group with the following command:
adduser username usermod -aG sudo username
Next, verify whether a new user can login via SSH. Then, edit the SSH default configuration file:
nano /etc/ssh/sshd_config
Find the following line:
PermitRootLogin yes
And, change it with the following:
PermitRootLogin no
Save and close this file. Then restart SSH service for the changes to take effect.
systemctl restart sshd
3 – Disable Password Authentication and Use Public Key Authentication
The attacker has to figure out the username and trying to brute force the password. So it better to use public key authentication instead of password authentication. So the only user that has private key can login to your server.
You can disable the password authentication and enable the key-based authentication by editing the file /etc/ssh/sshd_config:
nano /etc/ssh/sshd_config
Change the following lines:
PasswordAuthentication no PubkeyAuthentication yes
Save and close the file. Then restart SSH service for the changes to take effect.
systemctl restart sshd
4 – Restrict SSH Access Using iptables
Iptables is a firewall tool used for filtering incoming and outgoing traffic to your server. You can create an Iptable rule to allow only a specific IP address or subnet for incoming SSH connections. This way you can block SSH connections for other users.
For example, to allow incoming SSH connection only for IP 192.168.0.100, run the following command:
iptables -A INPUT -p tcp -s 192.168.0.100 -dport 22 -j ACCEPT
Next, save the Iptables rules with the following command:
iptables-save
5 – Define IP Address Allow list
You can also define and set up an IP address allow list to restrict incoming SSH connection based on IP address. This will reduce the risk of a breach in the event when your password is leaked.
You can setup IP address whitelist by editing the SSH default configuration file:
nano /etc/ssh/sshd_config
To allow a single IP address, add the following line:
AllowUsers *@192.168.0.100
To allow a whole subnet, add the following line:
AllowUsers *@192.168.0.0/24
To allow multiple IP addresses, add the following line:
AllowUsers *@192.168.0.100 *@192.168.0.101 *@172.16.0.124
If you want to allow only a specific user to a specific IP address, add the following line:
Match User user1 AllowUsers [email protected]
Save and close the file when you are finished then restart the SSH service to apply the changes:
systemctl restart sshd
Of course, you don’t have to secure SSH on Linux if you use one of our Managed Hosting services, in which case you can simply ask our expert Linux admins to configure this for you. They are available 24×7 and will take care of your request immediately.
PS. If you liked this post on how to harden OpenSSH on Ubuntu, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.