Swiftorial Logo
Home
Swift Lessons
Matchups
CodeSnaps
Tutorials
Career
Resources

Securing SSH

1. Introduction

SSH (Secure Shell) is a protocol used to securely connect to remote servers. It provides encrypted communication and is essential for system administrators and developers. However, the default SSH configuration can be vulnerable to attacks. This tutorial will guide you through securing your SSH server.

2. Changing the Default SSH Port

By default, SSH runs on port 22. Changing the port can help obscure your server from automated attacks.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find the line:

#Port 22

Uncomment it and change the port number:

Port 2222

Save and close the file, then restart the SSH service:

sudo systemctl restart sshd

3. Using SSH Key-Based Authentication

SSH keys provide a more secure way to login compared to passwords. Here’s how to set it up:

Generate a key pair on your local machine:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Press Enter to accept the default file location and optionally add a passphrase.

Copy the public key to the server:

ssh-copy-id -i ~/.ssh/id_rsa.pub user@server_ip

Ensure the correct permissions are set on the server:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

4. Disabling Password Authentication

After setting up SSH keys, disable password authentication to prevent brute-force attacks.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find the lines:

#PasswordAuthentication yes
#PermitEmptyPasswords no

Uncomment and change to:

PasswordAuthentication no
PermitEmptyPasswords no

Save and close the file, then restart the SSH service:

sudo systemctl restart sshd

5. Limiting SSH Access to Specific Users

Restrict SSH access to specific users for additional security.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Add the following line:

AllowUsers user1 user2

Replace user1 and user2 with the actual usernames. Save and close the file, then restart the SSH service:

sudo systemctl restart sshd

6. Enabling Two-Factor Authentication (2FA)

Adding two-factor authentication can provide an extra layer of security.

First, install the Google Authenticator PAM module:

sudo apt-get install libpam-google-authenticator

Next, run the Google Authenticator setup for the user:

google-authenticator

Answer the prompts to configure 2FA. Then, update the SSH configuration to use the new PAM module:

sudo nano /etc/pam.d/sshd

Add the following line at the end:

auth required pam_google_authenticator.so

Finally, edit the SSH configuration file to enable ChallengeResponseAuthentication:

sudo nano /etc/ssh/sshd_config

Find the line:

#ChallengeResponseAuthentication no

Uncomment and change to:

ChallengeResponseAuthentication yes

Save and close the file, then restart the SSH service:

sudo systemctl restart sshd

7. Conclusion

Securing your SSH server is crucial for protecting your systems from unauthorized access. By following the steps in this tutorial, you can enhance the security of your SSH configuration and reduce the risk of attacks.