How to Secure SSH on Linux servers Ubuntu/CentOS/Fedora

What is SSH?

The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

An SSH client programme is typically used for establishing connections to an SSH daemon accepting remote connections. Both are commonly present on most modern operating systems, including macOS, Linux, OpenBSD, FreeBSD…

In this guide, you will secure the SSH port and disable the root user’s login.

The configuration file is located in /etc/ssh/sshd_config.

Step 1: Change SSH port

The majority of attack scripts only use port 22, which is the standard SSH port by default. Evidently, changing the default SSH port should offer a significant extra protection layer.

Open config file and Change Port 22 to Port 2445.

...
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
Port 22
Port 2445
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
...

You must keep the port number in mind or write it down if you want to use SSH to access your servers.

Restart OpenSSH server.

In Debian / Ubuntu Linux:

$ sudo service ssh restart
# using systemd:
$ sudo systemctl restart ssh

CentOS / RHEL / Fedora / Redhat Linux:

$ sudo service sshd restart
# using systemd:
$ sudo systemctl restart sshd

now to connect to our ssh server we add -p parameter with the new port number 2445.

$ ssh root@SERVER_IP -p 2445

Next up, we disable root login.

Step 2: Disable root login via SSH

If you don’t have a Sudo enabled user already, you can follow our guide on Creating a New sudo-enabled User

further, use the sudo user you added before to your machine rather than root to connect to the server through SSH if you have any.

By changing the PermitRootLogin option and setting it to no, you will prevent root login:

...
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
...

Restart the SSH server, and you should now be able to connect to our server as follows:

$ ssh bob@SERVER_IP -p 2445
# To switch to root user use:
$ sudo su
[sudo] password for bob:

Step 3: Disable password based SSH login

To get rid of the constant brute force attacks, you can opt for only key-based SSH login.

Follow our guide on How to use a Private key for SSH authentication.

The following considerations must be considered prior to this:

1. To at least make sure you can log into your server, create an SSH key pair on your personal or work computer and add this public SSH key to your server.
2. When password-based authentication is disabled, unauthorized machines cannot ssh into your server.
3. You won’t be able to access your server again if you are locked out.

You are now aware of the dangers involved with removing password-based SSH logins. 

Let’s see how to do it.

Disable Password Authenticated By changing PasswordAuthentication option and setting it to no, you will prevent password login:

...
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PasswordAuthentication no
#PermitEmptyPasswords no
...

Conclusion

We have provided a list of useful SSH fortification techniques. There are a number of other techniques to protect SSH and your Linux server. It’s impossible to provide a complete list of them in one article.