Best Steps To Secure SSH Server on Debian 12 Bookworm

By Posted on

Best Steps To Secure SSH Server on Debian 12 Bookworm

In this guide, we want to show you how to Install and Secure SSH Server on Debian 12 Bookworm. As you know, SSH is used to access Linux Server in a secure mode. Most users use the default SSH settings to connect to their servers. This can cause security issues. So we decided to show you how to Secure SSH Server on Debian 12 Bookworm.

How To Install and Secure SSH Server on Debian 12 Bookworm?

To set up a secure SSH server, you must have access to your server as a non-root user with sudo privileges and set up a basic firewall. For this purpose, you can visit this guide on Initial Server Setup with Debian 12 Bookworm.

Now proceed to the following steps to Install and Secure SSH Server on Debian 12 Bookworm.

Step 1 – Install SSH Server on Debian 12

First, you must run the system update with the following command:

sudo apt update

Then, use the command below to install the SSH server on Debian 12:

sudo apt install ssh -y

At this point, your SSH server must be enabled and activated on your system. To verify this, run the command below:

sudo systemctl status ssh
SSH server status Debian 12

Now proceed to the following step to Secure SSH Server on Debian 12 Bookworm.

Step 2 – Secure SSH Server Connection on Debian 12

There are so many different ways that you can increase your SSH server security. Here we want to show you some of them to Secure SSH Server on Debian 12 Bookworm.

1: Disable Root Login on SSH Server

One of the ways that you can Secure SSH Server on Debian 12 Bookworm is to disable root logins. To do this, you must open your SSH Config Server file with your favorite text editor, here we use vi:

sudo vi /etc/ssh/sshd_config

Find the PermitRootLogin line and change its value to No:

PermitRootLogin no

When you are done, save and close the file.

Then, restart SSH to apply the changes:

sudo systemctl restart ssh

2: Change the Default SSH Server Port

To Secure SSH Server on Debian 12 Bookworm, it’s recommended to change the SSH default port on Debian 12.

Open the SSH Config file again with the command below:

sudo vi /etc/ssh/sshd_config

Find the **Port** line, and change it to your desired value, here we change it to 2222:

Port 2222

When you are done, save and close the file.

If you are using a firewall, you must allow it through the firewall rules:

sudo ufw allow 2222

Then, restart SSH to apply the changes:

sudo systemctl restart ssh

You can also use the “netstat” command to verify it:

netstat -tulpn | grep 2222
**Output**
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      3199/sshd: /usr/sbi
tcp6       0      0 :::2222                 :::*                    LISTEN      3199/sshd: /usr/sbi

Note: Be careful when you change your default SSH server port on Debian 12, you will have to specify it when connecting to it. You can easily connect to your SSH server by using the command below:

ssh -p <port> <username>@<ip_address>

3: Block Access For Users without Passwords

You may have users without passwords on your system. So you can block these users that can’t access the SSH server. Again open the SSH config file:

sudo vi /etc/ssh/sshd_config

Find the PermitEmptyPasswords line and change its value to No:

PermitEmptyPasswords no

When you are done, save and close the file.

4: Limit SSH Login Attempts

By default, you can access your server with so many password attempts. You can limit this option to prevent security issues. To do this, from your SSH config file, find the MaxAuthTries line and change its value to your desired number of attempts. For example:

MaxAuthTries 3

5: Enable SSH Server Version 2

At this point, you can use SSH version 2 which is designed to improve the security.

To enable the second version of the SSH server on Debian 12, you can add the following Protocol line to the SSH config file as shown below:

Include /etc/ssh/sshd_config.d/*.conf

Protocol 2

Note: Remember every time you make changes to the file, you must restart your SSH server to apply the changes.

6: Connect to your Server by Using SSH Key Pairs

One of the best secure ways that you can connect to your server is to use the SSH keys. SSH key pairs are two cryptographically secure keys that can be used to authenticate a client to an SSH server. With this option, you can easily connect to your server without using passwords. To do this, you must generate the SSH key pairs.

For complete information, you can visit this guide on Generating SSH key pairs in Linux.

Conclusion

SSH security is one of the ways to protect your connection servers. At this point, you have learned to Install and Secure SSH Server on Debian 12 Bookworm by using some tips that we said in the guide.

Hope you enjoy it. You may also be interested in these articles:

How To Change SSH Port on Debian

Enable and Configure SSH on Ubuntu 22.04

How to Fix The “Connection reset by peer” SSH Error

Alternative Solutions for Securing SSH on Debian 12

While the above methods provide a strong foundation for securing your SSH server on Debian 12 Bookworm, here are two alternative approaches that can further enhance your security posture:

1. Using Fail2ban to Prevent Brute-Force Attacks

Fail2ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. It works by monitoring log files for failed login attempts and automatically blocking the IP addresses that exhibit malicious behavior. This is a great supplement to securing your SSH server on Debian 12 Bookworm.

Explanation:

Fail2ban analyzes SSH logs (and logs from other services) for patterns indicative of brute-force attacks. When it detects too many failed login attempts from a specific IP address within a defined timeframe, it adds a firewall rule to block all traffic from that IP for a specified duration. This significantly reduces the risk of successful brute-force attacks and minimizes the load on your server.

Installation and Configuration:

  1. Install Fail2ban:

    sudo apt install fail2ban

  2. Configure Fail2ban for SSH:

    • Copy the default SSH jail configuration file:

      sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

      Note: Editing jail.local prevents changes from being overwritten during package updates.

    • Edit the /etc/fail2ban/jail.local file using your favorite text editor (e.g., sudo nano /etc/fail2ban/jail.local).

    • Find the [sshd] section and modify the following parameters (or add the [sshd] section if it does not exist):

      [sshd]
enabled = true
port = ssh  # Or the custom port you set, e.g., 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3  # Number of failed attempts before banning
bantime = 600 # Ban duration in seconds (10 minutes)
findtime = 600 # Time window to consider failed attempts (10 minutes)
ignoreip = 127.0.0.1/8 your_trusted_ip #Add your trusted IPs to the whitelist
      • enabled = true: Enables the SSH jail.
      • port = ssh: Specifies the SSH port to monitor. Use the custom port if you changed it.
      • filter = sshd: Uses the sshd filter, which defines the patterns to look for in the logs.
      • logpath = /var/log/auth.log: Specifies the path to the SSH authentication log file.
      • maxretry = 3: Sets the maximum number of failed login attempts before banning an IP.
      • bantime = 600: Sets the ban duration to 600 seconds (10 minutes).
      • findtime = 600: Sets the time window for considering failed attempts to 600 seconds (10 minutes).
      • ignoreip = 127.0.0.1/8 your_trusted_ip: Whitelists IP addresses or networks that should never be banned (e.g., your own IP or internal network).

    • Save and close the file.

  3. Restart Fail2ban:

    sudo systemctl restart fail2ban

  4. Check Fail2ban Status:

    sudo fail2ban-client status sshd

    This command will show you the status of the SSH jail, including the number of currently banned IPs.

2. Using Two-Factor Authentication (2FA) with Google Authenticator

While SSH keys offer passwordless login, adding two-factor authentication (2FA) provides an additional layer of security, even if your SSH key is compromised. Google Authenticator is a popular 2FA application that generates time-based one-time passwords (TOTP). This method significantly strengthens the Secure SSH Server on Debian 12 Bookworm.

Explanation:

2FA requires users to provide two independent factors of authentication: something they know (password or SSH key) and something they have (a code generated by Google Authenticator on their phone). This makes it much harder for attackers to gain access to your server, even if they manage to steal your SSH key or guess your password.

Installation and Configuration:

  1. Install the Google Authenticator PAM Module:

    sudo apt install libpam-google-authenticator

  2. Configure Google Authenticator for your User:

    • Run the Google Authenticator setup:

      google-authenticator

    • Answer the questions prompted by the google-authenticator command. It will ask you to:

      • Scan a QR code with your Google Authenticator app (or manually enter the secret key).
      • Answer "yes" to updating the ~/.google_authenticator file.
      • Choose whether to disallow multiple uses of the same authentication token (recommended).
      • Choose whether to increase the window of time a code is valid (not recommended).
      • It will also provide you with emergency scratch codes, which you should save in a safe place.

  3. Configure SSH to use Google Authenticator:

    • Edit the /etc/pam.d/sshd file:

      sudo vi /etc/pam.d/sshd

    • Add the following line at the beginning of the file:

      auth required pam_google_authenticator.so nullok
      • The nullok option allows users without Google Authenticator configured to still log in using password or SSH key (without 2FA). Remove nullok to require 2FA for all users.

    • Edit the /etc/ssh/sshd_config file:

      sudo vi /etc/ssh/sshd_config

    • Ensure the following lines are present and uncommented (or add them if they are missing):

      ChallengeResponseAuthentication yes
AuthenticationMethods publickey,password publickey,keyboard-interactive
      • ChallengeResponseAuthentication yes enables the challenge-response authentication method, which is required for Google Authenticator.
      • AuthenticationMethods publickey,password publickey,keyboard-interactive specifies the authentication methods allowed. publickey,password means try public key authentication first, then password. publickey,keyboard-interactive means try public key authentication first, then the keyboard-interactive method (which is used by Google Authenticator). The order is important. keyboard-interactive must come after publickey to allow key-based login to still work without requiring a code.

    • Save and close the file.

  4. Restart SSH:

    sudo systemctl restart ssh

Now, when you connect to your server via SSH, you will first be prompted for your SSH key (if using key-based authentication) or password. After successful key or password authentication, you will be prompted for the verification code generated by your Google Authenticator app. This dual requirement further strengthens your SSH security and helps you Secure SSH Server on Debian 12 Bookworm.

Related posts: