SSH or Secure Shell, is a UNIX-based command interface and protocol designed to allow secure communications between different hosts through an encrypted connection. SSH servers, therefore, allow users to securely log into remote hosts, run commands and operate network services.
To establish an SSH connection, a user needs two components: the SSH client and the SSH server. Both ends of the client/server connection are authenticated by a digital certificate, and passwords are systematically encrypted.
The SSH server offers a wonderful opportunity for secure communication between remote machines, but the degree of security it provides relies heavily on how well it is configured. In this tutorial, you will discover five methods to harden SSH server security. Most modifications can be made by editing the sshd_config file, usually found at /etc/ssh/sshd_config.
#1: Use Protocol SSH 2 only
Protocol 1 has a lot of known vulnerabilities, so be sure to set Protocol 2 as default. You can change this by editing the file referenced above.
#2: Disable root login
Overlooking the dangers of direct root login is by far one of the most common mistakes when it comes to SSH security. Therefore, it wiser to set up direct root logins to require a primary user to login via SSH, and only after login as root if it’s really necessary. Here’s how you can add the primary user for the SSH connection and set a new password:
useradd [new name] passwd [new password]
#3: Integrate two-factor authentication
Two-factor authentication is slowly but surely becoming the norm in the digital world nowadays. It would be a good idea to incorporate this type of authentication in your SSH connection so as to enhance its security. Google Authenticator is a good tool that will help you in this direction.
#4: Use a port that is not 22 (default)
By doing this, you can prevent brute force attacks against the default SSH port. You can change this by editing the file referenced above.
#5: Use a firewall
By using an iptables firewall such as CSF, you can set a limit to the incoming SSH connections and how many times it will fail before it gets blocked. To do this, edit /etc/csf/csf.conf like so:
LF_SSHD = "5"
And then restart the firewall to apply changes:
We hope our tips help you properly configure your SSH server so that it offers the highest degree of security for your remote connections.