SSH, which stands for Secure Shell, is not very secure by default and opts for standard password authentication with no other limits. If you really want to lock your server, you need to configure more.
Disallow Password Logins ̵
1; Using SSH Keys
The first thing to do is completely remove password authentication and switch to using SSH keys. SSH keys are a form of public key encryption; you have a public key that acts as your username and a private key that acts as your password (except this password is 2048 characters long). Your private key is stored on your disk, but encrypted with a passphrase and ssh agent. If you go to SSH on a server, instead of asking for your password, the ssh agent connects to the server with your keys.
Even if you already use SSH keys, you still want to make sure your password logins are turned off, because the two are not mutually exclusive.
RELATED: What is SSH Agent Forwarding and How Do You Use It?
Generate SSH keys
You can generate a new SSH key with the utility
ssh-keygen installed by default on most Unix systems.
This will ask you for a passphrase to encrypt the local key file. It is not used for server authentication, but it should still be kept secret.
ssh-keygen will store your private key in
~ / .ssh / id_rsa and also save your public key in
~ / .ssh / id_rsa.pub . The private key remains on your hard drive, but the public key must be uploaded to the server for the server to verify your identity and verify that you have permission to access that server.
The server maintains a list of authorized users, usually stored in
~ / .ssh / authorized_keys . You can manually add your key file to this file or you can use the utility
ssh-copy-id -i ~ / .ssh / id_rsa.pub user @ host  Replace
user @ hostwith your own username and hostname of the server. You will be asked to log in again with your old password, you should not be prompted again and you can disable password login.
Disable SSH Password Login
Now that you can access the server with your keys, you can disable password authentication altogether. Make sure that key-based authentication works or you will be locked out of your server.
Open the server
/ etc / ssh / sshd_configin your favorite text editor and search for the line beginning with:#PasswordAuthentication
You want to delete this (remove the hashtag) and & # 39; yes & # 39; change to & # 39; no & # 39 ;:PasswordAuthentication no
sshdwith:systemctl restart sshd
You should be forced to reconnect and if your key file is incorrect, you will not be asked for a password.
If you want, you can also force public key authentication, which will block all other authentication methods. Add the following lines to
/ etc / ssh / sshd_config:AuthenticationMethods publickey PubkeyAuthentication yes
Lockout Attackers with denyhosts
denyhostsis a utility to prevent repeated failed login attempts via SSH, similar to how your phone will lock you out after too many attempts. It is not installed by default, so you need to install it from your distro's package manager. For Debian based systems like Ubuntu it would be:sudo apt-get install denyhosts -y
Once installed, enable it with:sudo systemctl enable denyhosts
denyhosts should now run automatically, but you want to whitelist your IP address in case you are locked out. You could always try again from a different IP address, but this will save you some hassle.
/etc/hosts.allowand add at the bottom of the file:sshd: your-ip-address
your-ip-addressby your IP address.
denyhostsrefuses after a failed attempt for root users and five failed attempts for other users. You can change this behavior by editing
If you accidentally locked yourself out, you must stop
denyhostsand delete your IP address from a few places:
/ var / lib / denyhosts / hosts
/ var / lib / denyhosts / hosts-limited
/ var / lib / denyhosts / hostss- root
/ var / lib / denyhosts / hosts-valid
/ var / lib / denyhosts / users-hosts
denyhosts and you should be able to reconnect.
Whitelist SSH Access
Although forcing SSH keys with
denyhosts is likely to provide adequate security, you can whitelist specific IP addresses. Most server providers offer tools to do this through a web interface. If that's an option, you'll want to whitelist from there instead of the SSH server because you can always change the whitelisted IP in case you get locked out.
If this is not an option, you must manually configure
/etc/hosts.deny to block all traffic from unauthorized hosts.
An Important Note : If you whitelist your home, your ISP may not give you a static IP address and your IP address may change at any time. You should make sure that this doesn't happen before you blacklist all other IP addresses, or add multiple addresses as a backup, or just skip this step.
/etc/hosts.allow and make sure your IP address is in the file:
If so, you can proceed and deny all other connections:
echo & # 39; sshd: ALL & # 39; >> / etc / hosts.deny
sshd and you should see your changes.
You can also set a proxy for your SSH server
If you have your SSH server with internet, but you need to access it from multiple IP addresses, you can set a proxy for it to handle the connection . This could be another cloud server or even a box in your house.
The SSH server must be configured to only accept connections from the proxy server and the proxy server must accept connections from anywhere. You can set the proxy server however you want, but even a simple netcat connection will work. Keep in mind that this proxy server is the only access point for your SSH server, so if the proxy fails, you will be locked out unless you have a backup address.
Do not allow root login
Create a new user instead and give that user sudo privileges. This is basically the same, but it has one major difference: Potential attackers must know the name of your user account to even start attacking your server, because it will not be as simple as
root @ yourserver .  Aside from security, it is generally a good Unix policy to not always be logged in as
root does not create logs and does not ask when to access is obtained to secure sources.
Create a new user on your SSH server:
and set a password for that user:
You are not logged in with this password because you are still using always SSH keys, but it is required. Ideally, make this different from your root password.
Add this user to
/ etc / sudoers to give administrator rights:
echo & # 39; myfancyusername ALL = (ALL) ALL & # 39; >> / etc / sudoers
Switch to that user with
su myfancyusername and check if you can switch back to the root user with
sudo su (which does not require a root password ). If you can, you have sudo access.
Now you want to block root login. In
/ etc / ssh / sshd_config you want to change:
Remove the hashtag and change "yes" to "no":
PermitRootLogin no  Start
sshdand your server should block all requests to log in as
Setting up two-factor authentication
This is certainly an exaggeration, but if you're paranoid about someone who grabbed your private SSH keys, you can configure your SSH server to use 2FA.
The easiest way to do this is to use Google Authenticator with an Android or iOS device, although SSH supports many two-factor methods. With Google Authenticator, you get a QR code that you can scan from the Google Authenticator mobile app to link your phone to the server, and you also get a few backup codes to restore in case your phone gets lost. Do not keep these codes on your main computer, otherwise they are not really two factors.