OpenSSH default configuration file is /etc/ssh/sshd_config, which contains all the configuration used by SSH server. All the option start with # symbols are used with default settings. To change any option first remove the # symbol, change the value and restart ssh server to reload the options.
This article will help you to secure OpenSSH Server. Before starting these setting, i will recommend to keep you OpenSSH server up to date. There are many security updates comes time to time, so try to update OpenSSH server once in a week.
Step 1: Change SSH Port
By default ssh listen on standard port 22. The first step to secure your server is to change port, because of this is known port by every one. Edit configuration file and change Port option as below
# nano /etc/ssh/sshd_config Port 2222
Now it required to specify port number (-p 2222) while connecting ssh remotely like below.
# ssh -p 2222 email@example.com
Step 2: Disable Root Access through SSH
By default root user are allowed to ssh from remote clients, For security purpose we recommend to disable direct root access. Use any non root account for ssh and then switch ( su – ) to root account.
To do this add “PermitRootLogin no” in ssh configuration file
# nano /etc/ssh/sshd_config PermitRootLogin no
Step 3: Disable Password Authentication, Use Key Pair Only
This is also a best practice to secure openssh server. Disable password based authentication and use public/private key pair only. It required to add public key on server in order to access server.
# nano /etc/ssh/sshd_config PasswordAuthentication no
To access system using ssh, generate a ssh key pair and add public key in server’s ~/.ssh/authorized_keys file. Only the users having private key can access server using ssh. Read article to Setup password less ssh.
Step 4: Allow/Deny Specific Users or Groups
By default SSH server allowed all users to login to server. Some times we required to allow/deny for some specific users or groups. Add below configuration to do the same.
Allow specific User: Use AllowUsers option to allow specific users only.
# nano /etc/ssh/sshd_config AllowUsers marc sarah
Allow Specific Groups: Use AllowGroups option to allow specific groups only.
# nano /etc/ssh/sshd_config AllowGroups marc sarah
Deny Specific Users: Use DenyUsers to deny ssh access for specific users.
# nano /etc/ssh/sshd_config DenyUsers jack nick
Deny Specific Groups: Use DenyGroups option to deny specific groups for SSH.
# nano /etc/ssh/sshd_config DenyGroups jack nick
Step 5: Restrict SSH on Specific Network Interface
This is useful for servers, which have one interface connected directly to internet and another are connected on LAN. So it would be good to disable SSH on internet facing interface. Use below option to do it.
# nano /etc/ssh/sshd_config ListenAddress 192.168.10.100 ListenAddress 127.0.0.1
After applying above configuration, OpenSSH server will listen only on defined interface and can’t be accessed over any other interfaces.
Advance SSH Security with Port Knocking
Port knocking is not specificically depends with OpenSSH, You can use this security with any protocal like SSH, FTP or HTTP. Port knocking provides one more level of security. Read following article to implement Port knocking