How to Secure SSH on Linux servers Ubuntu/CentOS/Fedora

The Secure Shell Protocol (SSH) is a cornerstone of secure system administration. It provides an encrypted channel for operating network services over an unsecured network. Its most common applications are remote login and command-line execution. SSH allows administrators to remotely manage servers, transfer files securely, and execute commands as if they were physically present at the machine.

An SSH client program is typically used for establishing connections to an SSH daemon accepting remote connections. Both are commonly present on most modern operating systems, including macOS, Linux, OpenBSD, and FreeBSD.

This guide focuses on fortifying your SSH configuration on Linux servers (Ubuntu, CentOS, and Fedora) by addressing common vulnerabilities. We’ll cover essential steps like changing the default SSH port and disabling root user login. We will also touch on disabling password-based login. Let’s dive in to learn How to Secure SSH on Linux servers Ubuntu/CentOS/Fedora.

The primary configuration file for SSH is located at /etc/ssh/sshd_config. This file controls various aspects of the SSH daemon’s behavior.

Step 1: Change SSH port

The default SSH port, 22, is a well-known target for automated attacks. Many botnets and malicious scripts specifically target port 22 to attempt brute-force attacks or exploit known vulnerabilities. Changing the default SSH port significantly reduces the chances of becoming a victim of these automated attacks. It adds a layer of "security through obscurity," making your server less visible to casual scans.

Open the configuration file using your preferred text editor (e.g., nano, vim):

sudo nano /etc/ssh/sshd_config

Locate the line Port 22 and change it to a different port number, such as Port 2445. Choose a port number between 1024 and 65535 that is not commonly used by other services.

...
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
<s>Port 22</s>
**Port 2445**
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
...

Important: Remember the new port number! You’ll need it to connect to your server via SSH. It’s a good practice to write it down or store it securely.

After making the change, restart the OpenSSH server for the changes to take effect.

In Debian / Ubuntu Linux:

sudo service ssh restart
# using systemd:
sudo systemctl restart ssh

CentOS / RHEL / Fedora / Redhat Linux:

sudo service sshd restart
# using systemd:
sudo systemctl restart sshd

Now, to connect to your SSH server, you’ll need to specify the new port number using the -p parameter:

ssh root@SERVER_IP -p 2445

Step 2: Disable root login via SSH

Direct root login via SSH is a security risk. If an attacker gains access to the root account, they have complete control over the system. Disabling root login forces users to log in with a regular user account and then use sudo to gain administrative privileges when needed. This adds an extra layer of security and makes it more difficult for attackers to gain full control of the server.

Before disabling root login, ensure you have a sudo-enabled user account. If you don’t have one, create one using the following commands (replace newuser with your desired username):

sudo adduser newuser
sudo usermod -aG sudo newuser

Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find the line PermitRootLogin yes and change it to PermitRootLogin no:

...
# Authentication:
#LoginGraceTime 2m
<s>PermitRootLogin yes</s>
**PermitRootLogin no**
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
...

Restart the SSH server:

sudo systemctl restart sshd

Now, connect to your server using the sudo-enabled user account:

ssh bob@SERVER_IP -p 2445
# To switch to root user use:
sudo su
[sudo] password for bob:

Step 3: Disable password based SSH login

Password-based SSH login is vulnerable to brute-force attacks. Attackers can repeatedly try different passwords until they guess the correct one. Key-based authentication is much more secure because it relies on cryptographic key pairs instead of passwords. With key-based authentication, the private key is stored on the client machine, and the public key is placed on the server. When a user attempts to log in, the server verifies the user’s identity using the public key, without requiring the user to enter a password.

Before disabling password authentication, ensure you have set up key-based authentication. Follow these steps:

1. Generate an SSH key pair on your local machine:

ssh-keygen -t rsa -b 4096

2. Copy the public key to the server:

ssh-copy-id -i ~/.ssh/id_rsa.pub bob@SERVER_IP -p 2445

3. Verify that you can log in to the server using the SSH key.

Once you’ve confirmed that key-based authentication is working, you can disable password authentication.

Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find the line PasswordAuthentication yes and change it to PasswordAuthentication no:

...
# To disable tunneled clear text passwords, change to no here!
<s>PasswordAuthentication yes</s>
**PasswordAuthentication no**
#PermitEmptyPasswords no
...

Restart the SSH server:

sudo systemctl restart sshd

Alternative Solutions to Secure SSH

While the above steps provide a solid foundation for securing SSH, there are other techniques that can further enhance security. Here are two alternative approaches:

1. Using Fail2ban to Mitigate Brute-Force Attacks

Fail2ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. It works by monitoring log files for suspicious activity, such as repeated failed login attempts, and then automatically blocking the offending IP addresses by adding rules to the system’s firewall.

Explanation:

Fail2ban monitors SSH logs for failed login attempts. When a certain threshold is reached (e.g., 5 failed attempts within a specific time window), Fail2ban blocks the IP address of the attacker for a specified period (e.g., 10 minutes). This prevents attackers from repeatedly trying to guess passwords.

Installation and Configuration:

1. Install Fail2ban:

   • Ubuntu/Debian: sudo apt update && sudo apt install fail2ban
   • CentOS/Fedora: sudo dnf install fail2ban

2. Configure Fail2ban for SSH:

   The default Fail2ban configuration includes a jail for SSH. You can customize this jail by creating a jail.local file:

   sudo nano /etc/fail2ban/jail.local

   Add the following configuration:

   [sshd]
   enabled = true
   port = 2445  # Use the custom port you configured
   filter = sshd
   logpath = /var/log/auth.log  # Ubuntu/Debian
   # logpath = /var/log/secure  # CentOS/Fedora
   maxretry = 5
   bantime = 600 # 10 minutes
   findtime = 60 # 1 minute

   • enabled = true: Enables the SSH jail.
   • port = 2445: Specifies the SSH port to monitor.
   • filter = sshd: Uses the sshd filter to parse SSH logs.
   • logpath: Specifies the path to the SSH log file.
   • maxretry: Sets the maximum number of failed login attempts before banning an IP address.
   • bantime: Sets the duration (in seconds) for which an IP address is banned.
   • findtime: Sets the time window (in seconds) during which failed login attempts are counted.

3. Restart Fail2ban:

   sudo systemctl restart fail2ban

Fail2ban provides an automated and effective way to protect your SSH server from brute-force attacks, especially when you How to Secure SSH on Linux servers Ubuntu/CentOS/Fedora.

2. Implementing Two-Factor Authentication (2FA)

Two-Factor Authentication (2FA) adds an extra layer of security by requiring users to provide two different authentication factors: something they know (password or passphrase) and something they have (a code generated by a mobile app or a hardware token).

Explanation:

Even if an attacker manages to compromise a user’s password, they still need the second factor to gain access to the server. This significantly reduces the risk of unauthorized access.

Implementation using Google Authenticator:

1. Install the Google Authenticator PAM module:

   • Ubuntu/Debian: sudo apt install libpam-google-authenticator
   • CentOS/Fedora: sudo dnf install google-authenticator

2. Configure Google Authenticator for the user:

   Run the following command as the user for whom you want to enable 2FA:

   google-authenticator

   The command will ask you a series of questions:

   • "Do you want authentication tokens to be time-based (y/n)?" – Answer y.
   • It will then display a QR code and a secret key. Scan the QR code with the Google Authenticator app on your smartphone. If you cannot scan the QR code, enter the secret key manually into the app.
   • Answer y to the remaining questions to update the ~/.google_authenticator file with secure settings.

3. Configure SSH to use PAM:

   Edit the /etc/pam.d/sshd file:

   sudo nano /etc/pam.d/sshd

   Add the following line to the end of the file:

   auth required pam_google_authenticator.so nullok

4. Enable ChallengeResponseAuthentication in /etc/ssh/sshd_config:

   sudo nano /etc/ssh/sshd_config

   Ensure the following line is present and uncommented:

   ChallengeResponseAuthentication yes

   If PasswordAuthentication is set to no, you can leave it as is if you want to only use key-based authentication with 2FA. Otherwise, leave PasswordAuthentication as yes.

5. Restart the SSH server:

   sudo systemctl restart sshd

Now, when you log in to your SSH server, you will be prompted for a verification code from the Google Authenticator app.

Implementing 2FA provides a strong layer of protection against unauthorized access, especially when combined with other security measures. As shown in the article How to Secure SSH on Linux servers Ubuntu/CentOS/Fedora, securing your SSH configuration is a crucial aspect of server security.

Conclusion

We’ve explored essential SSH hardening techniques, including changing the default port, disabling root login, and disabling password-based authentication. Furthermore, we examined two alternative solutions: Fail2ban and Two-Factor Authentication. Implementing these measures will significantly enhance the security of your Linux servers. However, remember that security is an ongoing process. Regularly review your SSH configuration and stay informed about the latest security threats to keep your systems protected. The techniques discussed here regarding How to Secure SSH on Linux servers Ubuntu/CentOS/Fedora are crucial for server security.