Enable and Configure SSH on Debian 11 | Best Setup

By Posted on

Enable and Configure SSH on Debian 11 | Best Setup

Enable and Configure SSH on Debian 11 | Best Setup

This guide aims to teach you How To Enable and Configure SSH on Debian 11. SSH, also known as Secure Shell or Secure Socket Shell, is a network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network. Understanding how to enable and configure SSH on Debian 11 is crucial for remote server management.

SSH also refers to the suite of utilities that implement the SSH protocol. Secure Shell provides strong password authentication and public key authentication, as well as encrypted data communications between two computers connecting over an open network, such as the Internet.

In addition to providing strong encryption, SSH is widely used by network administrators to manage systems and applications remotely, enabling them to log in to another computer over a network, execute commands, and move files from one computer to another. Knowing how to enable and configure SSH on Debian 11 effectively improves security.

To complete this guide, you must log in to your server as a non-root user with sudo privileges and set up a basic firewall. To do this, you can follow our guide, the Initial Server Setup with Debian 11.

1. Verify SSH Installation on Debian 11

First, you need to update your local package index with the command below:

sudo apt update

By default, SSH is installed on Debian 11. To verify this, run the command below:

ssh -V
**Output**
OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1k  25 Mar 2021

Note: This information does not mean that you have an SSH server running on your server; it only means that you are currently able to connect as a client to SSH servers.

Install OpenSSH on Debian 11

Then, use the command below to install OpenSSH:

sudo apt install openssh-server -y

When your installation is completed, enable your service to start on boot:

sudo systemctl enable ssh

Check SSH Status

Check your SSH status with the command below:

sudo systemctl status sshd

In your output, you should see:

Check SSH Status Debian 11

Check SSH Port

By default, your SSH server is listening on port 22 (which is the default SSH port).

You can check that the SSH server is listening on port 22 with the netstat command:

netstat -tulpn | grep 22
**Output**
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1161/sshd: /usr/sbi
tcp6       0      0 :::22                   :::*                    LISTEN      1161/sshd: /usr/sbi

Configure Firewall for SSH

At this point, you need to allow SSH traffic on the UFW firewall. To enable SSH connections on your Debian 11, run the command below:

sudo ufw allow ssh

Now you can check your UFW status:

sudo ufw status
**Output**
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)

2. Configure SSH Server on Debian 11

As you know, SSH configuration files are located in the /etc/ssh folder.

In this directory, you are going to find many different files and folders, but the most important ones are:

In this tutorial, we are going to focus on the server part of the configuration.

Change SSH Default Port

To secure your SSH server, it’s recommended to change the SSH default port on Debian 11.

Open the sshd_config file with your favorite text editor, here we use vi:

sudo vi /etc/ssh/sshd_config

Find the port line, and change it to your desired value, here we change it to 2222:

Port 2222

When you are done, save and close the file.

Note: Be careful when you change your default SSH port; you will have to specify it when connecting to it.

Disable Root Login on your SSH Server

By default, on recent distributions, root login is set to “prohibit-password”.

This option means that all interactive authentication methods are banned, allowing only public keys to be used.

In short, you need to set up SSH keys and use them to connect as a root. However, even if you connect without a password, root login is not recommended: if keys are compromised, your entire host is compromised.

As a consequence, you can set this option to “no” to restrict it completely. Again open the SSH server config file on Debian 11:

sudo vi /etc/ssh/sshd_config

Find the line below and set it to no:

PermitRootLogin no

When you are done, save and close the file.

To apply these changes, restart the SSH service:

sudo systemctl restart sshd

You can also use the “netstat” command as we already did in the previous sections:

netstat -tulpn | grep 2222
**Output**
tcp        0      0 0.0.0.0:**2222**            0.0.0.0:*               LISTEN      3199/sshd: /usr/sbi
tcp6       0      0 :::**2222**                 :::*                    LISTEN      3199/sshd: /usr/sbi

How To Connect to SSH Server on Debian 11?

At this point, you can easily connect to your SSH server by using the command below:

ssh -p <**port**> <**username**>@<**ip_address**>

For example, to connect to my instance located at 127.0.0.1, I would run the following command:

ssh -p 2222 <**user**>@127.0.0.1

You will be asked to provide your password and certify that the authenticity of the server is correct.

To exit from your SSH server on Debian 11, you can hit Ctrl + D or type ‘logout’ and your connection will be terminated.

Disable SSH server on Debian 11

If you plan to disable your SSH server, you can use the following command:

sudo systemctl stop sshd

Check your SSH service status:

sudo systemctl status sshd
Disable SSH server Debian 11

From there, your SSH server won’t be accessible anymore.

Conclusion

At this point, you have learned to Enable and Configure SSH Server on Debian 11 with the best steps. Hope you enjoy it. Please subscribe to us on Facebook and YouTube. Properly configuring SSH on Debian 11 is essential for server security.

You may also like these articles:

Set Up Nginx Password Authentication on Debian 11

Install and Configure Joomla On Debian 11

Install and Configure XAMPP on Debian 11

Alternative Solutions for Enhancing SSH Security on Debian 11

While the above steps provide a solid foundation for enabling and configuring SSH on Debian 11, let’s explore some alternative solutions to further enhance security.

1. Using Fail2ban for Intrusion Prevention

Fail2ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. It works by monitoring log files for failed login attempts and automatically blocks the IP addresses that generate these attempts for a specified period. This significantly reduces the risk of unauthorized access through SSH.

Explanation:

Fail2ban operates by analyzing log files (e.g., /var/log/auth.log for SSH) and identifying patterns of malicious activity. When a predefined threshold of failed login attempts from a specific IP address is reached, Fail2ban uses iptables (or another firewall management system) to add a rule that blocks all traffic from that IP. This prevents the attacker from continuing to attempt to brute-force the SSH password.

Installation and Configuration:

  1. Install Fail2ban:

    sudo apt install fail2ban

  2. Configure Fail2ban for SSH:

    Fail2ban’s configuration is managed through .conf files in /etc/fail2ban. You should never modify the default .conf files directly. Instead, create .local files that override the settings in the .conf files.

    Create a jail.local file:

    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

    Edit the jail.local file to enable and configure the SSH jail. Find the [sshd] section and modify it as follows:

    [sshd]
enabled = true
port = ssh  # or your custom SSH port if you changed it
filter = sshd
logpath = /var/log/auth.log
maxretry = 3  # Number of failed attempts before banning
findtime  = 600 # The time in seconds before a retry count is reset
bantime = 3600 # ban for an hour
    • enabled = true: Enables the SSH jail.
    • port = ssh: Specifies the port that SSH is listening on (default is ssh, which resolves to port 22). If you changed the SSH port, replace ssh with your custom port number.
    • filter = sshd: Specifies the filter used to analyze the log file. The sshd.conf filter (located in /etc/fail2ban/filter.d/) is designed to detect failed SSH login attempts.
    • logpath = /var/log/auth.log: Specifies the path to the SSH log file.
    • maxretry = 3: Sets the maximum number of failed login attempts allowed from a single IP address before it is banned.
    • findtime = 600: Sets the time in seconds before a retry count is reset.
    • bantime = 3600: Sets the duration of the ban in seconds (3600 seconds = 1 hour).

  3. Restart Fail2ban:

    sudo systemctl restart fail2ban

Now, Fail2ban will monitor your SSH logs and automatically ban IP addresses that exhibit malicious login behavior.

2. Implementing Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds an extra layer of security to your SSH server by requiring users to provide two independent factors of authentication before gaining access. This significantly reduces the risk of unauthorized access, even if an attacker manages to obtain the user’s password.

Explanation:

The first factor is typically something the user knows (their password), and the second factor is something the user has (e.g., a code generated by an authenticator app on their smartphone). This means that even if an attacker compromises the password, they still need to possess the second factor to gain access, making it much harder to break into the system.

Implementation using Google Authenticator:

  1. Install Google Authenticator PAM module:

    sudo apt install libpam-google-authenticator

  2. Configure SSH to use PAM:

    Edit the /etc/pam.d/sshd file:

    sudo nano /etc/pam.d/sshd

    Add the following line at the beginning of the file:

    auth required pam_google_authenticator.so nullok

    The nullok option allows users without 2FA configured to still log in using only their password. Remove this option to require 2FA for all users.

  3. Configure SSH to Challenge for Authentication:

    Edit the /etc/ssh/sshd_config file:

    sudo nano /etc/ssh/sshd_config

    Find the line that says ChallengeResponseAuthentication no and change it to yes:

    ChallengeResponseAuthentication yes

    Also, ensure that UsePAM is set to yes:

    UsePAM yes

  4. Restart the SSH Service:

    sudo systemctl restart sshd

  5. Configure Google Authenticator for Each User:

    Each user who wants to use 2FA must configure it for their account. Run the following command as the user:

    google-authenticator

    The google-authenticator command will generate a QR code and a secret key. Use an authenticator app on your smartphone (e.g., Google Authenticator, Authy) to scan the QR code or manually enter the secret key. The app will then generate time-based codes that you can use as your second factor. Follow the prompts to configure settings like time-skew correction and emergency scratch codes.

Now, when users log in via SSH, they will be prompted for both their password and the verification code from their authenticator app.

These alternative solutions, combined with the initial setup, provide a robust security posture for your SSH on Debian 11 server. Remember to regularly review and update your security configurations to stay ahead of potential threats.

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *