Secure your OpenSSH Server

Introduction

Secure Shell, or SSH, is a cryptographic (encrypted) network protocol for initiating text-based shell sessions on remote machines in a secure way.

OpenSSH is an implementation of SSH used on most linux-based systems. It is very secure by default, but there are some configuration options that can be tweaked to reach a higher security level.


Change the SSH port

A very simple way to increase your servers level of security is to change the default ssh port from 22 to a random port. Just make sure this port is never used by another application or you will get in trouble.

To change your SSH port from 22 to 32122 do the following:

Open configuration file /etc/ssh/sshd_config in your favorite editor and replace the line

with:

Make sure this port is never used by another application and that this port isn’t blocked in your servers firewall. If you are sure, restart the terminal server with:


Disallow root login

This directive allows you to prevent users to directly login with root account. Most attackers will try root account first, so you are very comfortable disallowing direct root access.

Open configuration file /etc/ssh/sshd_config in your favorite editor and replace the line

with:


Login with Public Key Authentication instead of passwords

Each user logging in to your server should generate a password-protected private key and give you his public key.

If Bob has an account on your server with the name bob, edit or create the file /home/bob/.ssh/authorized_keys and paste his public key into that file. He should now be able to login through his keyfile instead a easy-to-crack password.


Last but not least: use strong passwords!

Your password should consist of lower and upper chars, numbers and some special chars. And it should be at least 10-12 characters long. Use a password safe to remember those complex passwords, so you don’t have to keep them in mind and they can be 20, 30 or 40 characters long!

Leave a Reply

Your email address will not be published. Required fields are marked *