Secure Shell (SSH) protocol is such an important one, it allows secure remote login from one computer to another. Not just that, it also allows file transfers securely over insecure networks. Now, most of the services are in Cloud, so here are some of SSH Security best practices to secure your systems. This may help you to configure SSH on VPS systems from DigitalOcean, Linode, or similar. If you have Virtual Private Cloud (VPC) at any service provider like AWS, GCP, Azure, or similar, then please refer to Part-2 and Part-3.
If you have some remote system in cloud with public IP exposed for ssh access, you may follow some of those simple security measures :
- Use a different port for SSH. Change default SSH port setting on the server by making changes in /etc/ssh/sshd_config file. Look for “#Port 22” and change it to some other free port like “Port 2222” and restart ssh service using command :
$ systemctl restart sshd
You can disable “Server SSH root login”. Look for “PermitRootLogin yes” in /etc/ssh/sshd_config file and change it to “PermitRootLogin no” and restart ssh service.
Make sure you have other system-user created beforehand with password for ssh login and with super-user access :
$ adduser user
$ passwd user
$ usermod -aG sudo user
And from your workstation, login mentioning “user” from command-line :
$ ssh user@remote-host - You can disable “Password-based access” and allow sshkey-based login.
First create ssh keypair on your workstation :
$ ssh-keygen -N “”-t rsa -b 4096 -q
Above will create “id_rsa” (private key) and “id_rsa.pub” (public key) at ~/.ssh/. You need to copy “id_rsa.pub” to remote system :
$ ssh-copy-id user@remote-host
Then to disable “PASSWORD authentication” completely on the remote-host, look for “PasswordAuthentication yes” in /etc/ssh/sshd_config and change it to “PasswordAuthentication no” and restart ssh service.
Further to disable “GSSAPI authentication” completely on the remote-host, look for “GSSAPIAuthentication yes” in /etc/ssh/sshd_config and change it to “GSSAPIAuthentication no” and restart ssh service.
And from your workstation, login as usual. - Further, you can configure some basic firewall software (ufw) to allow only ssh TCP port.
$ sudo apt install ufw
$ sudo ufw allow OpenSSH
$ sudo systemctl enable ufw
$ sudo systemctl start ufw
$ sudo systemctl status ufw
$ sudo ufw app list - Further, to defend malicious login attempts install (fail2ban) and configure it little strictly :
$ sudo apt install ufw fail2ban
$ sudo cp /etc/fail2ban/jail.{conf,local}
Make changes to /etc/fail2ban/jail.local in [sshd] section like below :
[sshd]
enabled = true
banaction = iptables-multiport
maxretry = 3
findtime = 1d
bantime = 4w
Then enable the service at startup and start :
$ sudo systemctl enable fail2ban
$ sudo systemctl start fail2ban
$ sudo systemctl status fail2ban
Later point of time, to check if any malicious login attempts and black-listed IP’s by your system :
$ sudo fail2ban-client status sshd - Further, you can enable “2-Factor auth” using “Google Authenticator” :
$ sudo apt install libpam-google-authenticator
$ google-authenticator
It will interactivly prompt couple of times. Just provide y-y-y-n-y in order. Install “Google Authenticator” mobile app in your mobile. The above command must have prompted you one QR-Code on the screen, just scan that using “Google Authenticator” mobile app.
Next, do dit “/etc/pam.d/sshd” file and add below lines at top of the file
# Google Authenticator
auth sufficient pam_google_authenticator.so
Next, edit /etc/ssh/sshd_config file and change “ChallengeResponseAuthentication no” to “ChallengeResponseAuthentication yes” and “AuthenticationMethods” to “AuthenticationMethods publickey,keyboard-interactive”.
Then restart ssh service.
These are enough to secure any publicly accessible cloud systems for SSH. Here I have shown commands for Ubuntu/Debian but the same packages are available for other Linux variants as well, just use the respective package manager. For advance setup please refer to Part-2 and Part-3.
That’s all.