Hardening SSH Security: Best Practices for Securing Remote Access

Hardening SSH Security: Best Practices for Securing Remote Access

Introduction

SSH (Secure Shell) is a fundamental tool for managing remote servers, but it is also a common target for brute force attacks and exploits. Properly securing SSH access is crucial for protecting your infrastructure. This guide covers best practices to harden SSH security on your Linux server.

Step 1: Disable Root Login

  1. Open the SSH configuration file:
sudo nano /etc/ssh/sshd_config
  1. Find the following line:
PermitRootLogin yes
  1. Change it to:
PermitRootLogin no
  1. Save the file and restart SSH:
sudo systemctl restart ssh

Step 2: Change the Default SSH Port

  1. Open the SSH configuration file:
sudo nano /etc/ssh/sshd_config
  1. Find the line that specifies the port (usually port 22):
#Port 22
  1. Change it to a non-standard port, e.g.:
Port 2222
  1. Restart SSH to apply changes:
sudo systemctl restart ssh

Step 3: Use SSH Key Authentication

  1. Generate an SSH key pair on your local machine:
ssh-keygen -t rsa -b 4096
  1. Copy the public key to the server:
ssh-copy-id -p 2222 [email protected]
  1. Disable password authentication in /etc/ssh/sshd_config:
PasswordAuthentication no
  1. Restart SSH:
sudo systemctl restart ssh

Step 4: Limit SSH Access to Specific Users

  1. Open the SSH configuration file:
sudo nano /etc/ssh/sshd_config
  1. Add the following line at the end:
AllowUsers myuser
  1. Restart SSH to apply changes:
sudo systemctl restart ssh

Step 5: Enable Two-Factor Authentication (2FA) for SSH

  1. Install the Google Authenticator PAM module:
sudo apt install -y libpam-google-authenticator
  1. Run the setup for your user:
google-authenticator

  1. Follow the prompts and scan the QR code with your 2FA app.

  2. Edit the PAM SSH config:

sudo nano /etc/pam.d/sshd
  1. Add the following line:
auth required pam_google_authenticator.so
  1. Restart SSH:
sudo systemctl restart ssh

Step 6: Use Fail2Ban to Prevent Brute Force Attacks

  1. Install Fail2Ban:
sudo apt install -y fail2ban
  1. Create a custom SSH jail file:
sudo nano /etc/fail2ban/jail.local
  1. Add the following configuration:
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
  1. Restart Fail2Ban:
sudo systemctl restart fail2ban

Conclusion

By following these best practices, you significantly enhance the security of your SSH access. Disabling root login, changing the default port, using key authentication, restricting users, enabling 2FA, and using Fail2Ban will greatly reduce the risk of unauthorized access. Always monitor SSH logs and apply security updates to stay protected.