Ssh

Ultimate Guide to Secure SSH Server Configuration on Linux

Introduction to SSH Security

SSH (Secure Shell) is the primary method for remote server access, making it a critical security component. This guide covers advanced SSH server hardening techniques.

Basic Hardening Steps

  1. Change default port:
Port 2222
  1. Disable root login:
PermitRootLogin no
  1. Enable key-based authentication:
PasswordAuthentication no
PubkeyAuthentication yes

Advanced Security Measures

Two-Factor Authentication

  1. Install Google Authenticator:
sudo apt install libpam-google-authenticator
  1. Configure PAM:
auth required pam_google_authenticator.so

Intrusion Prevention

  1. Install fail2ban:
sudo apt install fail2ban
  1. Configure SSH jail:
[sshd]
enabled = true
maxretry = 3
bantime = 1h

Performance Optimization

ClientAliveInterval 300
ClientAliveCountMax 2
TCPKeepAlive yes
Compression delayed

Troubleshooting Common Issues

  • Connection refused: Check ss -tulpn | grep sshd
  • Permission denied: Verify ~/.ssh/authorized_keys permissions
  • Slow connections: Disable DNS lookups with UseDNS no

Security Audit Checklist

  1. Regularly rotate SSH keys
  2. Monitor auth logs: /var/log/auth.log
  3. Implement IP whitelisting
  4. Use SSH certificates for large deployments

Conclusion

A properly hardened SSH configuration is essential for protecting your servers from unauthorized access. By implementing these measures, you’ll significantly reduce your attack surface while maintaining accessibility.