Ultimate Guide to Secure SSH Server Configuration on Linux
Introduction to SSH Security
SSH (Secure Shell) is the primary method for remote server access, making it a critical security component. This guide covers advanced SSH server hardening techniques.
Basic Hardening Steps
- Change default port:
Port 2222
- Disable root login:
PermitRootLogin no
- Enable key-based authentication:
PasswordAuthentication no
PubkeyAuthentication yes
Advanced Security Measures
Two-Factor Authentication
- Install Google Authenticator:
sudo apt install libpam-google-authenticator
- Configure PAM:
auth required pam_google_authenticator.so
Intrusion Prevention
- Install fail2ban:
sudo apt install fail2ban
- Configure SSH jail:
[sshd]
enabled = true
maxretry = 3
bantime = 1h
Performance Optimization
ClientAliveInterval 300
ClientAliveCountMax 2
TCPKeepAlive yes
Compression delayed
Troubleshooting Common Issues
- Connection refused: Check
ss -tulpn | grep sshd
- Permission denied: Verify
~/.ssh/authorized_keys
permissions - Slow connections: Disable DNS lookups with
UseDNS no
Security Audit Checklist
- Regularly rotate SSH keys
- Monitor auth logs:
/var/log/auth.log
- Implement IP whitelisting
- Use SSH certificates for large deployments
Conclusion
A properly hardened SSH configuration is essential for protecting your servers from unauthorized access. By implementing these measures, you’ll significantly reduce your attack surface while maintaining accessibility.