This is some tips for securing SSH Server on linux host. Config file is usually located on path /etc/sshd/sshd_config.
- Disable empty passwords
- Change default port
Default port is 22/tcp and most of the attack scripts are written for that port only. Changing port may reduce the number of attack.
- Disable root login
- Disable ssh protocol 1
- Configure idle timeut interval
The idle timeout interval is the amount of time an SSH connection can remain active without any activity.
ClientAliveInterval 300 # Keep 5 minute timeout interval
After this interval, the SSH server will send an alive message to the client. If it doesn’t get a response, the connection will be closed and the end user will be logged out.
You may also control how many times it sends the alive message before disconnecting:
- Allow SSH access to selected users only
Allow SSH access to a selected few users and thus restricting for all the other users.
You may also add selected users to a new group and allow only this group to access SSH.
You may also use the DenyUsers and DenyGroups to deny SSH access to certain users and groups.
- Disable X11 forwarding
The X11 or the X display server is the basic framework for a graphical environment. The X11 forwarding allows you to use a GUI application via SSH.
- Mitigate brute force attacks automatically
You can use a security tool like Fail2Ban.
Fail2Ban checks the failed login attempts from different IP addresses. If these bad attempts cross a threshold within a set time interval, it bans the IP from accessing SSH for a certain time period.
- Disable password based SSH login
This is only key-based SSH login.
In this approach, you add the public key of the remote client systems to the known keys list on the SSH server. This way, those client machines can access SSH without entering the user account password.
PasswordAuthentication no
Need to restart sshd service.
When you have this setup, you can disable password based SSH login. Now, only the clients machines that have the specified SSH keys can access the server via SSH.
Before you go for this approach, make sure that you have added your own public key to the server and it works. Otherwise, you’ll lock yourself out and may lose access to the remote server.
- Two-factor authentication with SSH
To take SSH security to the next level, you may also enable two-factor authentication. In this approach, you receive a one-time password on your mobile phone, email or through a third-party aunthentication app.
More details at https://www.linode.com/docs/security/authentication/two-factor-authentication/use-one-time-passwords-for-two-factor-authentication-with-ssh-on-ubuntu-16-04-and-debian-8/