Menu

How to Secure OpenSSH Server with 5 Useful Tips

Written by , Updated on October 8, 2018
Security , ,

OpenSSH default configuration file is /etc/ssh/sshd_config, which contains all the configuration used by SSH server. All the options start with # symbols are used with default settings. To change any option first remove the # symbol, change the value and restart ssh server to reload the options.

This article will help you to secure the OpenSSH Server. Before starting these setting, I will recommend keeping you OpenSSH server up to date. There are many security updates comes from time to time, so try to update OpenSSH server once in a week.

Tip 1 – Change SSH Port

By default, ssh listen on standard port 22. The first step to secure your server is to change the port, because of this is known port by everyone. Edit the configuration file:

nano /etc/ssh/sshd_config

And update the Port option as below:

Port 2222

Now it required to specify the port number (-p 2222) while connecting ssh remotely like below.

ssh -p 2222 [email protected]

Tip 2 – Disable Root Access

By default root user are allowed to ssh from remote clients, For security purpose, we recommend to disable direct root access. Use any non-root account for ssh and then switch ( su – ) to root account.

To do this add “PermitRootLogin no” in ssh configuration file

PermitRootLogin no

Tip 3 – Disable Password Authentication

This is also a best practice to secure OpenSSH server. Disable password-based authentication and use public/private key pair only. It required to add public key on the server in order to access server.

PasswordAuthentication no

To access system using ssh, generate an ssh key pair and add a public key in server’s ~/.ssh/authorized_keys file. Only the users having private key can access the server using ssh. Read article to Setup passwordless ssh.

Tip 4 – Allow Specific Users and Groups

By default SSH server allowed all users to log in to the server. Sometimes we required to allow for some specific users or groups. Add below configuration to do the same.

Allow specific User: Use AllowUsers option to allow specific users only.

AllowUsers marc sarah

Allow Specific Groups: Use AllowGroups option to allow specific groups only.

AllowGroups admin webadmin

Deny Specific Users: Use DenyUsers to deny ssh access for specific users.

DenyUsers jack nick

Deny Specific Groups: Use DenyGroups option to deny specific groups for SSH.

DenyGroups jack nick

Tip 5 – Restrict SSH on Network Interface

This is useful for servers, which have one interface connected directly to the internet and another are connected on LAN. So it would be good to disable SSH on the internet facing interface. Use below option to do it.

ListenAddress 192.168.10.100
ListenAddress 127.0.0.1

After applying the above configuration, the OpenSSH server will listen only on the defined interface and can’t be accessed over any other interfaces.

Advance SSH Security with Port Knocking

Port knocking is not specifically depends with OpenSSH, You can use this security with any protocol like SSH, FTP or HTTP. Port knocking provides one more level of security. Read the following article to implement Port knocking

https://tecadmin.net/secure-ssh-connections-with-port-knocking-linux/

Rahul
Rahul
Connect on Facebook Connect on Twitter Connect on Google+

I, Rahul Kumar am the founder and chief editor of TecAdmin.net. I am a Red Hat Certified Engineer (RHCE) and working as an IT professional since 2009..

Related Posts

Leave a Reply

Copyright © 2013-2019 TecAdmin.net. All Rights Reserved. This site uses cookies. By using this website you agree with our term and services