Three tips for securing SSH

2022-07-03 0 By

Here’s how I can optimize my SSH experience and protect my server from unauthorized access.SSH (Secure Shell) is a protocol that enables you to create an authenticated private connection and start a remote Shell on another machine using an encrypted key to protect the channel.Using this connection, you can execute remote commands, start secure file transfers, forward sockets, displays and services, and much more.Before SSH, most remote administration was done over Telnet, and it’s fair to say that once you can set up a remote session, you can do pretty much anything you need.The problem with this protocol is that communication is in plain text, not encrypted.Using a traffic sniffer doesn’t require much effort to see all the packets in a session, including those containing user names and passwords.With SSH, sessions between devices participating in communication are encrypted due to the use of asymmetric keys.Today, this makes more sense than ever, because all cloud servers are managed by people scattered around the world.The most common implementation of the SSH protocol is OpenSSH, which was developed by the OpenBSD project and is available on most Linux and Unix-like operating systems.Once you install the package, you will have a file called sshd_config that controls most of the behavior of the service.The default Settings are usually very conservative, but I tend to make some tweaks to optimize my SSH experience and protect my server from illegal access.1. Change the default port this is an issue not all administrators remember.Anyone with a port scanner can find an SSH port, even if you later move it to another port, so it’s hard to remove yourself from danger, but it will effectively prevent hundreds of immature scripts from scanning your server.This is a great way to take your mind off it and subtract a lot of noise from your log.While writing this article, I set up an SSH server on a cloud service provider with a default port of TCP 22 that was attacked an average of 24 times per minute.After changing the port to a higher number, TCP 45678, there were an average of two connections per day using various user names or passwords for guessing.To change the default Port for SSH, open /etc/ssh/sshd_config in your favorite text editor and change the value of Port from 22 to some number greater than 1024.This line is probably commented out because 22 is the default (so it doesn’t need to be explicitly declared in the configuration), so uncomment it before saving.Port 22122#AddressFamily any #ListenAddress #ListenAddress :: Once you have changed the Port and saved the file, restart SSH server:There is a general trend to stop using passwords as authentication methods, two-factor authentication and other methods are becoming more and more popular.OpenSSH can be authenticated using asymmetric keys, so there’s no need to remember complex passwords, rotate them every few months, or worry about someone spying on you while you’re setting up a remote session.Using SSH keys allows you to quickly and securely log in to your remote devices.This often means less time spent with the wrong username and password.Login is delightfully simple.When there is no key, there is no entry, not even a prompt.To use this feature, you must configure both the client (the computer in front of you) and the server (the remote machine).On the client machine, you must generate an SSH key pair.This includes a public key and a private key.As their name implies, one public key is for you to distribute to the servers you want to log on to, and the other is a private key that must not be shared with anyone.Use the ssh-keygen command to create a new key pair and use the -t option to specify a good, up-to-date cryptography library such as ED25519:$ ssh-keygen -t ed25519 Generating public/private ed25519 key pair. Enter file in which to save the key (~/.ssh/ id_ED25519): During key creation, you will be prompted to name the file.You can press Enter to accept the default values.If you create more keys in the future, you can give each one a custom name, but having multiple keys means you’ll be specifying which key to use for each interaction, so just accept the default for now.You can also give your key a password.This ensures that even if someone manages to get hold of your private key (which itself shouldn’t happen), they won’t be able to use it without your password.This is a useful safeguard for some keys and not for others (especially those used for scripts).Press Enter to leave your key without a password, or you can choose to create one.To copy your key to the server, use the ssh-copy-id command.For example, if I have a server named, THEN I can copy my public key to it with this command:$ssh-copy-id This will create or modify the authorized_keys file, which contains your public key, in the server’s.ssh directory.Once you’re sure that the ssh-copy-id command has done what it does, try logging in from your computer to verify that you can log in without a password (or enter the key password if you choose one to use your key).After not logging in to your server with your server account password, edit the server’s sshd_config and set PasswordAuthentication to no.PasswordAuthentication no Restart the SSH service to load the new configuration:Most distributions do not allow root users to log in over SSH. This ensures that only non-privileged accounts are active, and sudo commands are used to promote permissions as needed.This prevents an obvious and painful target (root) from a simple and common scripting attack.Similarly, a simple and powerful feature of OpenSSH is the ability to determine which users can log on to a machine.To set which users are granted SSH access, open the sshd_config file in your favorite text editor and add the following line: AllowUsers jgarrido Jane tux Restart the SSH service to load the new configuration options.This allows only three users (Jgarrido, Jane, and TUx) to log in or perform any operation on a remote machine.Conclusion You can use OpenSSH to achieve a powerful and robust SSH server.These are just three useful options for hardening your system.Still, there are a number of features and options that can be turned on or off in the sshd_config file, and there are many great applications, such as Fail2ban, that you can use to further protect your SSH service.via: author Jonathan Garrido topics: lujun9972 translator: wxy proofreading:Wxy this article is compiled by LCTT, Linux China honor launch