Anansewaa
Harden SSH

Quick Tips to Harden SSH on Ubuntu

Harden SSH

If you work with Secure Shell, you will definitely want to check out the following tips to harden SSH on your ubuntu server. Working as a Ubuntu server administrator, you are more likely to use Secure Shell (SSH) for remote access to the server.

As the name suggest SSH is relatively a secure protocol. However, we can make it more secure with some few steps. The aim of this article is to help you better lock down the SSH server.

Don’t Permit Empty Passwords

Permit Empty Passwords on harden SSH
Permit Empty Passwords

Firstly, make sure user accounts without passwords are not able to login. Some server administrators can create standard system users without password. By default, SSH is configured to permit empty password.

Now, open the SSH daemon configuration file with the following command:

Find the line with

Remove the comment as shown below:

Save the configuration and restart the SSH server with the command below:

Limit Max Authentication Attempts

Max Authentication Attempts on harden SSH
Max Authentication Attempts

Frankly speaking, the best approach to preventing brute force attacks on your server is to limit the login attempts. To limit the number of attempts on login locate.

Uncomment it as shown below:

Set Idle Timeout Interval

Idle Timeout Interval on harden SSH
Idle Timeout Interval

Consequently, the idle timeout is how long an SSH session is allowed to be idle. However, when the timeout is set, the SSH connection will be broken whenever the time pass. By default, this option is disabled.

In fact, I will enable the idle timeout and set the timeout to four minutes (240 seconds).

Now, locate the line with:

And, uncomment the line as shown below:

Disable Root Login

Disable Root Login on harden SSH
Disable Root Login

To explain, the root account has the sudo privilege associated with it and it can dangerous if an unauthorized person has access to it. However, connecting to the server with an account that has the sudo privilege. Also, the sudo should be setup properly. On the other hand, let’s disable root login via SSH.

In the SSH configuration, find the line with:

Replace it with:

Change SSH Ports

Change SSH Ports on harden SSH
Change SSH Ports

One other way to harden SSH is to change the default port. Thus, SSH runs on port 22 as by default. Mostly, hackers will target the default port. Changing it might prevent them from targeting you. It is not necessary to change the port but it is also a security measure to the hardening SSH server. In the configuration find the line with:

Then, change the port to another port like 2019

Whitelist SSH Users

It is best to limit users allowed to login to the SSH server. Meaning only users in the list will be allowed to login to the server. And every other user will be denied access. Assuming, we want to allow john to login remotely through SSH. Add the line below to the configuration file.

Well, don’t forget to add your username to the list of AllowUsers.

Fail2Ban

Fail2Ban Configuration
Fail2Ban Configuration

This software scans your logs and temporarily ban IPs with suspicious activities. To install it run the command below:

Once installed, make a copy of the configuration file as shown below.

Then, open your copy of the fail2ban configuration file

Look for the line that starts with [sshd] and uncomment enable = true and edit it as shown below:

Now restart fail2ban with the command below:

Accordingly, Fail2ban will now start monitoring your SSH logs for possible suspicious activities and then temporarily ban the source IP.

I also have an article on how to configure denyhosts on ubuntu. You might want to check it out.

Disable X11Forwarding

This article is meant for use with remote servers.  In other words, there is no need to use GUI on a remote server. Apparently, this allows any other user to tunnel GUI applications via SSH. So disable X11 forwarding on the remote server. In the SSH configuration file /etc/ssh/sshd_config. Find the line:

And replace yes with no as shown below:

Use SSH Keys

Apparently, you can SSH into the server with a username and password but with that, someone can brute force into the server. So, SSH keys can be used instead of passwords.

Generate SSH Key Pair

Now, let’s generate our encryption keys which come in pairs. Public and Private key. To generate the keys, run the following command on the machine that will be use to SSH into the server.

Well, you will be asked to enter passphrase to protect the keys. But, you can keep blank if you think it is not necessary.

Truly speaking, unprotected private SSH key can be used to access the server by anyone in possession of that key.

Share Your Public Key

Use ssh-copy-id to copy your public key to the server.

You have changed your SSH port. Assuming, your SSH port is 2019 use the command below. Make sure you change the IP to the IP of your server.

Afterwards, try accessing the server via SSH with the following command:

You may be asked to enter your passphrase. Thus, if you setup the passphrase during the key generation.

If the command run successfully, you should see a message similar to the one below:

Your answer should be yes and you should access the server without entering password.

Disable Password Authentication

Eventually, we can now disable password authentication on the server. Since we have establish SSH keys authentication. Open the SSH configuration file and find the line:

Then, change it to:

Displaying Banner

Usually, banners are some form message or statement saying “unauthorized access is not allowed”. Sometimes, the banner message contain legalese which turn to warn or scare hackers. Frankly speaking, this doesn’t add any security to the system, because anyone who manage to access your system won’t care about the warning sign but it might give the hacker a chuckle.

By default, banners are disabled on Ubuntu 18.04. Banners are normally displayed before authentication meaning anyone trying to SSH into the server will see the banner. Well, to see the banner you need to enable PasswordAuthentication.

To add a banner, edit the SSH configuration file and then uncomment:

After that, try accessing the server if a wrong user account:

You will receive a feedback similar to the one below:

Apparently, you can customize this message by editing /etc/issue.net file.

This message will make the hacker think of what he/she is doing before messing around.

Conclusion

Hopefully, you have found this article a bit helpful for on how to harden SSH on your server. There is much more to learn about SSH. Good Luck.

Clemence Ayekple

Let's grab a cup of coffee and talk about programming

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Follow us

Don't be shy, get in touch. We love meeting interesting people and making new friends.

Most discussed

%d bloggers like this: