It is important to secure your SSH server in order to protect it from brute force attacks and other forms of malicious exploits. Once a hacker gets control of your SSH server, they can cause significant damage to your site. It can also lead to data breaches and running of unknown bots and scripts from servers, without your knowledge. In this article, we will look at how to secure SSH server on your system.
How to Secure SSH Server on your System
Here are some of the things you can do to secure SSH server on your Linux system.
1. Use Strong Username & Password
Typically, it is advisable to log into SSH server only via private key. But if you have many users accessing your SSH server, you may need to give them password based access, instead of sharing private key with them. In such cases, you must set strong username & passwords that are a combination of alphabets, numbers and special characters with at least 8 characters in length. Do not use sequence of number or alphabets or any part of username. You may use any of the online password generators to generate strong passwords.
2. Don’t use Port 22
By default, SSH server runs on port 22. Almost every hacker knows this. Many scripts and bots are configured to send requests to port 22 automatically, to look for SSH server. So simply change your SSH server to run on a different port. Changing the port will make it difficult for hackers to guess the post number of SSH server. Here are the steps to change SSH port number. Open terminal and run the following command to open SSH server’s config file.
$ sudo vi /etc/ssh/sshd_config
Look for Port 22 and change it to Port 28. You may use any free port on your system. We have used port 28 for our purpose. Save and close the file. Restart SSH server with the following command.
$ sudo systemctl restart sshd
Here are the detailed steps to change SSH port in Linux.
3. Disable Root Login
When you log into SSH, you need to provide a Linux username to log in as. If you use root user to log into SSH server, it can compromise your system. Attackers with your root password can easily gain access to your system and cause damage. So you should disable root users from logging in and log in via non-root user. Once you have logged in, you can always use sudo command or su – command to run commands that require root privilege. Here are the steps to disable root login.
Open SSH config file in a text editor.
$ sudo vi /etc/ssh/sshd_config
Look for PermitRootLogin or PermitRootLogin yes and change it to.
PermitRootLogin no
Then add a non-root user that you will use to login as AllowUsers username. For example, if you want to log in as non-root user test_user then add the following line.
AllowUsers test_user
Restart SSH server.
$ sudo systemctl restart sshd
Here are the detailed steps to disable root SSH login.
4. Use Key-based login
As mentioned earlier, the safest way to log into SSH server is to use private keys. In this case, you create a public and private key. You need to install public key on SSH server. Now, you can connect to SSH server using public and private key, without using any password. In fact, you can also use a passphrase along with private key-based log in, for extra security. Here are the steps to setup key-based SSH Login.
5. Disable empty passwords
Sometimes Linux users are allowed to do SSH login via empty password. Please avoid this shortcut. It becomes very easy for hackers to enter your system, if you allow login using empty passwords. All they need to do is guess your username. So ensure that you disable empty passwords. Here are the steps to do it.
Open SSH config file in a text editor.
$ sudo vi /etc/ssh/sshd_config
Look for the following line.
PermitEmptyPasswords yes
and replace yes with no.
PermitEmptyPasswords no
Save and close the file. Restart SSH server.
$ sudo systemctl restart sshd
By default, SSH server does not allow login using empty password. So unless you have explicitly changed this setting, you don’t have to worry about it.
In this article, we have seen many easy ways to secure your SSH server from malicious attacks. You can quickly implement them and secure your SSH server.
Also read:
How to Create Shared Folders in Linux
How to Save Command Output to File in Linux
XARGS Command to Find & Delete Files
How to Reset Root Password in RHEL/CentOS/Fedora
How to Use Auto Indent in VI Editor