Security ssh

Multiple Ways to Secure SSH Server

Secure Shell is a network communication protocol used for encrypted communication and remote administration between client and server. It is a multi-purpose protocol that can be used to do a lot more than just remote administration. This protocol communicates securely over an unsecure network using asymmetric encryption. Asymmetric encryption is a form of encryption in which public and private keys are used to encrypt and decrypt data. By default SSH communicates through port 22 but it can be changed. In this blog we will cover different ways to secure SSH server.

Different Ways to Secure SSH Server

All the configuration setting of SSH server can be done by modifying ssh_config file. This configuration file can be read by typing following command in Terminal.

ubuntu@ubuntu:~$ cat /etc/ssh/ssh_config

NOTE: Before editing this file, You must have root privileges.

Now we discuss different ways to secure SSH server. Following are some methods we can apply to make our SSH server more secure

  • By changing Default SSH Port
  • Using Strong Password
  • Using Public Key
  • Allowing a single IP to Log in
  • Disabling Empty Password
  • Using Protocol 2 for SSH Server
  • By Disabling X11 Forwarding
  • Setting an Idle Timeout
  • Setting a Limited Password Tries

Now we discuss all these methods one by one.

By Changing Default SSH Port

As described earlier, by default SSH uses Port 22 for communication. It is much easier for hackers to hack your data if they know which port is being used for communication. You can secure your server by changing default SSH port. To change the SSH port, open sshd_config file using nano editor by running the following command in Terminal.

ubuntu@ubuntu:~$ nano /etc/ssh/ssh_config

Find the line in which port number is mentioned in this file and remove the # sign before “Port 22” and change the port number to your desired port and save the file.

Using Strong Password

Most of the Servers are hacked because of a weak password. A weak password is more likely to be hacked by hackers easily. A strong password can make your server more secure. Following are the tips for a strong password

  • Use a combination of uppercase and lowercase letters
  • Use numbers in your password
  • Use lengthy password
  • Use special characters in your password
  • Never use your name or date of birth as password

Using Public Key to Secure SSH Server

We can login to our SSH server using two ways. One is using Password and the other one is using Public key. Using public key to login is much more secure than using a password to log into SSH server.

A key can be generated by running the following command in Terminal

ubuntu@ubuntu:~$ ssh-keygen

When you run the above command, It will ask you to enter the path for your private and public keys. Private key will be saved by “id_rsa” name and public key will be saved by “id_rsa.pub” name. By default the key will be saved in the following directory

/home/username/.ssh/

After creating public key use this key to configure SSH login with the key. After making sure that key is working to log into your SSH server, now disable password based log in. This can be done by editing our ssh_config file. Open the file in your desired editor. Now remove the # before “PasswordAuthentication yes” and replace it with

PasswordAuthentication no

Now your SSH server can only be accessed by public key and access through password has been disabled

Allowing a Single IP to log in

By default you can SSH into your server from any IP address. Server can be made more secure by allowing a single IP to access your server. This can be done by adding the following line in your ssh_config file.

ListenAddress 192.168.0.0

This will block all the IP’s to log into  your SSH server other than the Entered IP (i.e. 192.168.0.0).

NOTE: Enter the IP of your machine in place of “192.168.0.0”.

Disabling Empty Password

Never allow log into SSH Server with empty password. If empty password is allowed then your server is more likely to be attacked by brute force attackers. To disable Empty password  login, open ssh_config file and make the following changes

PermitEmptyPasswords no

Using Protocol 2 for SSH Server

Previous protocol used for SSH is SSH 1. By default the protocol is set to SSH 2 but if it is not set to SSH 2, you must change it to SSH 2. SSH 1 protocol has some issues related to security and these issues have been fixed in SSH 2 protocol. To change it, edit ssh_config file as shown below

Protocol 2

By Disabling X11 Forwarding

X11 Forwarding feature gives a Graphical User Interface (GUI) of your SSH server to the remote user. If X11 Forwarding is not disabled then any hacker, who has hacked your SSH session, can easily find all the data in your server. You can avoid this by disabling X11 Forwarding. This can be done by changing the ssh_config file as shown below

X11Forwarding no

Setting an Idle Timeout

Idle timeout means, if you do not do any activity in your SSH server for a specific interval of time, you are automatically logged out from your server

We can enhance security measures for our SSH server by setting an idle timeout. For example you SSH your server and after some time you get busy doing some other tasks and forget to logout of your session. This is a very high security risk for your SSH server. This security issue can be overcome by setting an idle timeout. Idle timeout can be set by changing our ssh_config file as shown below

ClientAliveInterval 600

By setting idle timeout to 600, the SSH connection will be dropped after 600 seconds (10 minutes) of not any activity.

Setting a Limited Password Tries

We can also make our SSH server secure by setting a specific number of password tries. This is helpful against brute force attackers. We can set a limit for password tries by changing ssh_config file.

MaxAuthTries 3

Restarting SSH Service

Many of the above methods need to restart SSH service after applying them. We can restart SSH service by typing the following command in the Terminal

ubuntu@ubuntu:~$ service ssh restart

Conclusion

After applying the above changes to your SSH server, now your server is much more secure than before and it is not easy for a brute force attacker to hack your SSH server.

About the author

Usama Azad

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14