How to secure SSH server, the modern way

This article will help you to secure the OpenSSH server in a modern way. The main configuration file of the ssh server is /etc/ssh/sshd_config, and techs normally edit this file and make changes. But there is a drawback to this. If the Operating system updates the openSSH server, you have to edit it again or keep the old sshd_config . We don't do that here. We leave the sshd_config as it is.

Where do we place the settings?

There is a folder called /etc/ssh/sshd_config.d/ and we put all our tweak settings here. The openssh server will load the configuration from this folder and apply the changes.

How to secure the OpenSSH server?

There are several ways to secure SSH settings. Please follow the documents and make the changes.

1. Start with a disclaimer banner

Every organization needs a security policy to inform the client before using the SSH. Create the following banner file, /etc/issue.net

Now enable this banner in openSSH configuration, /etc/ssh/sshd_config.d/00-banner.conf

2. Prevent empty passwords

We don't need some one use empty passwords to access the SSH server. Empty passwords are a bad idea. You may have other utilities, such as Plug-gable Authentication Modules (PAM), regulating your regular passwords, but it's also a good idea to make sure SSH enforces responsible security settings, too.

To disable empty passwords create the configuration file , /etc/ssh/sshd_config.d/01-noemptypasswords.conf

3. Change the default SSH Port

SSH default listens on port 22 , which is always a victim of brute force attacks. We never use this port. We are going to change the SSH Port to another one let us say, 1234 .

To make changes to the SSH port add the port configuration in /etc/ssh/sshd_config.d/02-port.conf

4. Limit access of root user

It is always to control the permission of the root user to access the SSH server. This has been performed by setting the variable PermitRootLogin . This variable accepts the three values as yes , no , and prohibit-password

• yes - This option will allow the root user with a password
• no - This option will disable the direct ssh of the root user
• prohibit-password - This option will allow root user but with ssh-keys only,

We are going to allow the root user with ssh-key access only.

Add the PermitRootLogin option to the configuration file /etc/ssh/sshd_config.d/03-permitroot.conf

5. Control Idle timeout

This option will close the client connection if there is no response from the client side after a certain period. We don't need to keep the connection option if the user is not on his workstation. With open connections, anyone can access the SSH server. We are going to set ClientAliveInterval and ClientAliveCountMax variables to make this adjustment.

• ClientAliveInterval is how much time the SSH server needs to check for active connections.
• ClientAliveCountMax defines how many times the server will do this before deciding the client isn't there anymore. At that point, the connection is dropped.

We are going to set the 5-minute interval time for the inactive client connections.

Create the configuration file /etc/ssh/sshd_config.d/04-timeouts.conf

6. Limit Login/Access Attempts

This option will limit access to the SSH server after a certain number of failed login attempts. It is always good to use this option to reduce brute-force attacks. We use the variable MaxAuthTries to limit the failed login attempts.

Add the configuration /etc/ssh/sshd_config.d/05-limitaccess.conf

7. Disable TCP forwarding

Attackers can try to gain access to your other systems by port forwarding through SSH connections. To prevent this, you can turn off the AllowTcpForwarding .

Add the configuration file , /etc/ssh/sshd_config.d/06-notcpforward.conf

8. Disable X-Window connections

We don't need someone to run a browser on your SSH server. Prevent all GUI applications running through the SSH server using the variable AllowTcpForwarding

Create the configuration file /etc/ssh/sshd_config.d/07-nox11.conf

9. IP restrictions to sshd service.

We use /etc/hosts.allow, to white list access from certain IPs. This file can be used to restrict the SSH permission, allow a specific IP block, or enter a single IP and block all remaining IP addresses with the deny command.

An example for allowing ip address range 10.0.0.1/24 is as follows

10. Install a firewall on the server

You should always install and configure a firewall on your server. We recommend installing C onfig Server Security and Firewall (CSF) . This is a good firewall based on iptables. The LFD daemon associated with CSF will block brute-force attempts.

11. Resart OpenSSH server

The final step is to restart the openssh server to apply the above changes.

In addition to the above settings, you can use AllowUsers , AllowGroups , DenyUsers , and DenyGroups settings to control who can log in to the SSH server. In a hosting server, everyone with shell access would be able to ssh to the server. So using these settings may limit the access.

The Eenos hosting control panel supports the CSF firewall. It is auto-integrated with the Eenos BFD settings.