Posts /

Securing Your Server - SSH

Back to posts /
09 Nov 2013

A core principle in any kind of security is to limit the number of vectors into your system. Said another way, if there’s a door open that you’re not going to use you should close and lock it. Most Linux servers these days are running SSH. What can we do to make sure our server’s SSH daemon is secure?

Limit SSH Access

If you’re running a server on the public Internet with port 22 open you are being attacked. If you don’t believe me check your sshd logs. You’ll see a ton of login attempts for various usernames. Fortunately, there are a few simple things you can do to thwart the most common attacks.

Disable Root Login

The first thing you should do is disable root login via SSH. There is no reason to expose root to the world. You should create a normal user and use sudo or su to run commands as root. You want to keep people guessing on what usernames are available on your system. Plus, an attacker gaining root access to your system is far worse than an attacker gaining normal user access.

# Add this line to your sshd_config
PermitRootLogin no

Disable Password Authentication

Next, you should setup key-based authentication for your normal user and disable password authentication. This will negate all brute force password attempts. The only way someone can access the server via SSH is by having your private key. For added security, you can add a passphrase to your key to require an extra token to log in.

# Add this line to your sshd_config
PasswordAuthentication no

With these two changes you have protected yourself from some of the most common SSH attacks, and you can rest easier at night. However, we usually aren’t just running SSH. How can we protect the rest of our services? Next time we’ll take a look at iptables, the Linux firewall.

Run on Non-standard Port

Another good tactic is to have SSH listen on a different port like 2222. While this doesn’t help you against someone who is targeting your server, but most attacks are being done by a script and they are typically only going to test for common vulnerabilities on standard ports. This is a simple change:

# Change the Port line to some other port
Port 2222

Now whenever you connect via ssh you will just need to specify the port with the -p option.

Doing these things on your server or some combination of them will thward the most common of SSH attacks.


Twitter Facebook Google+