Secure Shell SSH) is the preferred method for connecting to a remote server securely. It's also one of top reasons they get hacked. This article will give you some basic, practical, steps to take when you first configure your linux server. They are designed to help harden your SSH connection and ensure you don't fall victim to a hack because of an overlooked configuration.
This is not meant to be an all encompassing list, but does help create a strong security foundation for your SSH linux instance. Most of the changes proposed below will be made in your SSHD configuration file. It's location will be dependent on the instance you're running.
Forbid the use of empty passwords for any user. You can do this by updating the SSHD config file:
This is known as security through obscurity, and depending on who you ask it might be deemed useless, but we can tell you first hand that changing the default port can go a long way to reducing the attempts that come from automated attacks (which make up 90% of the attacks we see).
Easiest way to update is to find the Port reference in the config file and change it to something different. Note that this will effect how you connect, so be sure to update your connection string accordingly.
Best practice is to never allow root to log in directly to the server. A better practice is to create another user, then sudo into the root user.
Applies mostly to old distributions, but never hurts to check. It has old vulnerabilities that can be exploited so if you see it enabled, disable it.
This speaks to the length of time a session can stay open without any activity. This is preference, but we recommend setting it to something you're comfortable (something that is not forever). The value is in seconds, so setting for 15 minutes would look like this:
Before disconnecting the server will ping the client to see if it's alive. You can control the number of pings as well:
Not everyone needs to SSH into your server. SSH offers you an option to specify which users can SSH, if possible, we recommend using it.
AllowUsers User1 User2
This is all about enabling a a GUI application via SSH. For most users we recommend disabling, unless you explicitly know you require it.
Most organization employ a blacklist model with their access control. They see something bad, they block it. We recommend employing a whitelist model, define what IP's can access the environment, block the rest. It's a much more practical, manageable, approach to controlling access.
Do your best to prevent a user from logging into the server using a password. We all suck at passwords. Navigate and update the following values:
ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no
In the place of passwords, use public / private keys for authentication.
Older instances of SSH will look like this:
ssh-keygen -t rsa -b 4096 -C "firstname.lastname@example.org"
Newer instances of SSH will look like this:
ssh-keygen -t ed25519 -C "email@example.com"
When prompted for a location, just press enter:
> Enter a file in which to save the key (/Users/you/.ssh/id_algorithm): [Press enter]
When prompted for a passphrase, type it in twice:
> Enter passphrase (empty for no passphrase): [Type a passphrase] > Enter same passphrase again: [Type passphrase again]
Two factor authentication is part of a much broader conversation around Multi-Factor authentication. It's built on three very simple pillars: something you know, something you have, something you are. These days we should all be fairly familiar with how to use it, we should be using it in our social media, banking and email accounts.
Thankfully, things have gotten a lot easier on Linux as well. These days you can use an authentication app like Google Authenticator to configure 2FA. Linode offers a great guide to help with the process: Use One-Time Passwords for Two-Factor Authentication with SSH.
After making all the changes be sure to restart the SSH daemon, it would look like this on the latest instances:
systemctl restart ssh
You can also quickly check the different SSH options using the following command. This allows you to find the values described above and see if they need to be updated: