Security

Ultimate Guide to Secure SSH Server Configuration on Linux

Introduction to SSH Security

SSH (Secure Shell) is the primary method for remote server access, making it a critical security component. This guide covers advanced SSH server hardening techniques.

Basic Hardening Steps

  1. Change default port:
Port 2222
  1. Disable root login:
PermitRootLogin no
  1. Enable key-based authentication:
PasswordAuthentication no
PubkeyAuthentication yes

Advanced Security Measures

Two-Factor Authentication

  1. Install Google Authenticator:
sudo apt install libpam-google-authenticator
  1. Configure PAM:
auth required pam_google_authenticator.so

Intrusion Prevention

  1. Install fail2ban:
sudo apt install fail2ban
  1. Configure SSH jail:
[sshd]
enabled = true
maxretry = 3
bantime = 1h

Performance Optimization

ClientAliveInterval 300
ClientAliveCountMax 2
TCPKeepAlive yes
Compression delayed

Troubleshooting Common Issues

  • Connection refused: Check ss -tulpn | grep sshd
  • Permission denied: Verify ~/.ssh/authorized_keys permissions
  • Slow connections: Disable DNS lookups with UseDNS no

Security Audit Checklist

  1. Regularly rotate SSH keys
  2. Monitor auth logs: /var/log/auth.log
  3. Implement IP whitelisting
  4. Use SSH certificates for large deployments

Conclusion

A properly hardened SSH configuration is essential for protecting your servers from unauthorized access. By implementing these measures, you’ll significantly reduce your attack surface while maintaining accessibility.

Basic IPTables Configuration

Learn basic IPTables configuration for Linux firewalls.

  1. List current rules:
sudo iptables -L -v -n
  1. Allow SSH:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  1. Block IP:
sudo iptables -A INPUT -s 192.168.1.100 -j DROP
  1. Save rules:
sudo iptables-save > /etc/iptables/rules.v4

Read more: IPTables Documentation

Setting Up UFW Firewall

Learn how to set up and manage UFW (Uncomplicated Firewall) on Ubuntu with advanced configurations.

  1. Install UFW:
sudo apt install ufw
  1. Set default policies:
sudo ufw default deny incoming
sudo ufw default allow outgoing
  1. Enable UFW:
sudo ufw enable
  1. Allow specific services:
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
  1. Advanced configurations:
# Allow specific IP range
sudo ufw allow from 192.168.1.0/24

# Rate limiting
sudo ufw limit ssh

# Delete rule
sudo ufw delete allow http

Monitoring and logging:

Setting Up SSH on Linux

Learn how to set up secure SSH access on your Linux server with advanced configuration options.

  1. Install OpenSSH server:
sudo apt install openssh-server
  1. Configure SSH with enhanced security:
sudo nano /etc/ssh/sshd_config

Set these recommended options:

PermitRootLogin no
PasswordAuthentication no
AllowUsers yourusername
  1. Generate SSH keys:
ssh-keygen -t ed25519 -C "[email protected]"
  1. Restart SSH service:
sudo systemctl restart ssh
  1. Test connection with key-based authentication:
ssh -i ~/.ssh/id_ed25519 user@your-server-ip

Additional security measures: