How to harden an SSH server?

Use public/private key pairs for authentication instead of passwords.

  1. Generate a passphrase-protected SSH key for every computer that needs to access the server:

    ssh-keygen

  2. Permit public-key SSH access from the allowed computers:

    Copy the contents of ~/.ssh/id_rsa.pub from each computer into individual lines of ~/.ssh/authorized_keys on the server, or run ssh-copy-id [server IP address] on every computer to which you are granting access (you'll have to enter the server password at the prompt).

  3. Disable password SSH access:

    Open /etc/ssh/sshd_config, find the line that says #PasswordAuthentication yes, and change it to PasswordAuthentication no. Restart the SSH server daemon to apply the change (sudo service ssh restart).

Now, the only possible way to SSH into the server is to use a key that matches a line in ~/.ssh/authorized_keys. Using this method, I don't care about brute force attacks because even if they guess my password, it will be rejected. Brute-forcing a public/private key pair is impossible with today's technology.


I would suggest:

  • Using fail2ban to prevent brute force login attempts.

  • Disabling logging in as root via SSH. This means an attacker had to figure out both the username and the password making an attack more difficult.

    Add PermitRootLogin no to your /etc/ssh/sshd_config.

  • Limiting the users that can SSH to the server. Either by group or just specific users.

    Add AllowGroups group1 group2 or AllowUsers user1 user2 to limit who can SSH to the server.


Other answers provide security, but there is one thing you can do which will make your logs quieter, and make it less likely that you'll be locked out of your account:

Move the server from port 22 to another one. Either at your gateway, or on the server.

It doesn't increase the security, but does mean all the random internet scanners won't clutter up you log files.

Tags:

Security

Ssh