• Home
  • Ubuntu 20.04
    • Upgrade Ubuntu
    • Install Java
    • Install Node.js
    • Install Docker
    • Install LAMP Stack
  • Tutorials
    • AWS
    • Shell Scripting
    • Docker
    • Git
    • MongoDB
  • Funny Tools
  • FeedBack
  • Submit Article
  • About Us
TecAdmin
Menu
  • Home
  • Ubuntu 20.04
    • Upgrade Ubuntu
    • Install Java
    • Install Node.js
    • Install Docker
    • Install LAMP Stack
  • Tutorials
    • AWS
    • Shell Scripting
    • Docker
    • Git
    • MongoDB
  • Funny Tools
  • FeedBack
  • Submit Article
  • About Us

How to Secure OpenSSH Server with 5 Useful Tips

Written by Rahul, Updated on October 8, 2018

OpenSSH default configuration file is /etc/ssh/sshd_config, which contains all the configuration used by SSH server. All the options start with # symbols are used with default settings. To change any option first remove the # symbol, change the value and restart ssh server to reload the options.

This article will help you to secure the OpenSSH Server. Before starting these setting, I will recommend keeping you OpenSSH server up to date. There are many security updates comes from time to time, so try to update OpenSSH server once in a week.

Tip 1 – Change SSH Port

By default, ssh listen on standard port 22. The first step to secure your server is to change the port, because of this is known port by everyone. Edit the configuration file:

nano /etc/ssh/sshd_config

And update the Port option as below:

Port 2222

Now it required to specify the port number (-p 2222) while connecting ssh remotely like below.

ssh -p 2222 [email protected]

Tip 2 – Disable Root Access

By default root user are allowed to ssh from remote clients, For security purpose, we recommend to disable direct root access. Use any non-root account for ssh and then switch ( su – ) to root account.

To do this add “PermitRootLogin no” in ssh configuration file

PermitRootLogin no

Tip 3 – Disable Password Authentication

This is also a best practice to secure OpenSSH server. Disable password-based authentication and use public/private key pair only. It required to add public key on the server in order to access server.

PasswordAuthentication no

To access system using ssh, generate an ssh key pair and add a public key in server’s ~/.ssh/authorized_keys file. Only the users having private key can access the server using ssh. Read article to Setup passwordless ssh.

Tip 4 – Allow Specific Users and Groups

By default SSH server allowed all users to log in to the server. Sometimes we required to allow for some specific users or groups. Add below configuration to do the same.

Allow specific User: Use AllowUsers option to allow specific users only.

AllowUsers marc sarah

Allow Specific Groups: Use AllowGroups option to allow specific groups only.

AllowGroups admin webadmin

Deny Specific Users: Use DenyUsers to deny ssh access for specific users.

DenyUsers jack nick

Deny Specific Groups: Use DenyGroups option to deny specific groups for SSH.

DenyGroups jack nick

Tip 5 – Restrict SSH on Network Interface

This is useful for servers, which have one interface connected directly to the internet and another are connected on LAN. So it would be good to disable SSH on the internet facing interface. Use below option to do it.

ListenAddress 192.168.10.100
ListenAddress 127.0.0.1

After applying the above configuration, the OpenSSH server will listen only on the defined interface and can’t be accessed over any other interfaces.

Advance SSH Security with Port Knocking

Port knocking is not specifically depends with OpenSSH, You can use this security with any protocol like SSH, FTP or HTTP. Port knocking provides one more level of security. Read the following article to implement Port knocking

https://tecadmin.net/secure-ssh-connections-with-port-knocking-linux/

Share it!
Share on Facebook
Share on Twitter
Share on LinkedIn
Share on Reddit
Share on Tumblr
Share on Whatsapp
Rahul
Rahul
Connect on Facebook Connect on Twitter

I, Rahul Kumar am the founder and chief editor of TecAdmin.net. I am a Red Hat Certified Engineer (RHCE) and working as an IT professional since 2009..

Leave a Reply Cancel reply

Popular Posts

  • How To Install Python 3.9 on Debian 10
  • Download Ubuntu 20.04 LTS – DVD ISO Images
  • Linux Run Commands As Another User
  • How to Check PHP Version (Apache/Nginx/CLI)
  • How To Install and Configure GitLab on Ubuntu 20.04
  • How to Install PyCharm on Ubuntu 20.04
  • How to Check Ubuntu Version with Command or Script
  • How to Set all directories to 755 And all files to 644
© 2013-2021 Tecadmin.net. All Rights Reserved | Terms  | Privacy Policy