Table of Contents
- Installing SSH
- Configure SSH to log in with SSH keys instead of a password
- Secure the SSH configuration file
- Change the default SSH port
- Use SSH2
- Use a whitelist and a blacklist to limit user access
- Disable root login
- Hide last login
- Restrict SSH logins to specific IP addresses
- Disable password authentication
- Disable .rhosts
- Disable host-based authentication
- Set a login grace timeout
- Set maximum startup connections
- Disable forwarding
- Log more information
- Disable empty passwords
- Set idle timeout interval
- Restart SSH for the changes to take effect
- Secure SSH using TCP wrappers
- Secure SSH using iptables
Secure Shell (SSH) is a protocol used to provide secure and encrypted communication over a network. It is most widely used by Linux system administrators for remote server management. It can also be used to transfer files over a network. Therefore, SSH security is very important.
- A server running Ubuntu v. 14.04
- A desktop machine running Linux (suggested)
To install the SSH server on your server, run the following command:
sudo apt-get install openssh-server
To install the SSH client on your desktop, run the following command:
sudo apt-get install openssh-client
Configure SSH to log in with SSH keys instead of a password
Using passwords for SSH authentication is insecure. If one of your users sets a weak password, your server can be compromised. To avoid this, you can use
ssh key for authentication without a password.
Generate SSH keys
To generate SSH keys on your client machine, run the following command:
cd ~/.ssh ssh-keygen -t rsa
Simply press the enter key at every question. This will produce two files:
id_rsa.pub (the public key) and
id_rsa (the private key).
This will output something like.
Create an SSH folder
On your server, create the folder for SSH with the command:
mkdir -p ~/.ssh/
Copy the public key file to your server
On your desktop, copy the
id_dsa.pub file to your server using the following command:
scp -P "ssh-port" ~/.ssh/id_dsa.pub username@serverip-address:~/.ssh
Update the public key file
Change the filename and permissions:
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys chmod 700 .ssh chmod 600 .ssh/authorized_keys rm .ssh/id_rsa.pub
Now you can log into your SSH server without a password.
Run the following command from your desktop to test it.
ssh -P "ssh-port" username@serverip-address
Secure the SSH configuration file
You can change the default security options by editing
sudo nano /etc/ssh/sshd_config
Here are some suggestions for default settings that you may want to change.
Once you have made your changes, be sure to save and exit the
sshd_config file and restart the SSH server with:
sudo service ssh restart
Change the default SSH port
By default, most servers listen for SSH connections on port
22. Hackers can use a port scanner to find whether an SSH service running or not. So it is recommended to change the default port.
To change default port from
8908, change the following line:
SSH protocol 1 (SSH1) contains many security vulnerabilities. Using protocol 2 (SSH2) instead is strongly recommended.
By default, SSH2 should be set. If not then change the Protocol line to use SSH2.
Use a whitelist and a blacklist to limit user access
Using a whitelist to allow specific users SSH access, and a blacklist to disallow other users, will improve your SSH security.
validuser2, add the following line:
AllowUsers validuser1 validuser2
baduser2, add the following line:
DenyUser baduser1 baduser2
Disable root login
A common attack is to attempt to use
root to log into a server with SSH. Since this is a big security risk, disable root SSH login by changing PermitRootLogin from without-password to:
Hide last login
You can hide last login user by editing the following line.
Restrict SSH logins to specific IP addresses
By default SSH will accept connections from any external IP address. If you want to restrict SSH to only allow a connection from a specific IP address, you can add a ListenAddress line.
For example, if you want to only accept SSH connections from IP address 192.168.1.2 you would add the line:
Disable password authentication
Password authentication in SSH is a big security risk if your user sets a weak password. See this section for instructions on how to set up SSH key authentication
To disable password authentication change the PasswordAuthentication line to read:
By default SSH doesn't allow
.rhosts files specify which users can access the r-commands (such as
rsh) on the local system without a password.
IgnoreRhosts yes RhostsAuthentication no RSAAuthentication yes
Disable host-based authentication
SSH's host-based authentication is more secure than
rhosts authentication. However, trusted hosts are still considered a security risk.
By default the HostbasedAuthentication option is disabled, if not then change the following line:
Set a login grace timeout
The "LoginGraceTime" specifies how long after a connection request the SSH server will wait before disconnecting. The recommended value for login grace timeout is 60 seconds.
You can change this value by editing following line:
Set maximum startup connections
Limiting the maximum number of concurrent connections to the SSH daemon can help protect your SSH server from a brute force attack.
You can set this value by editing following line to the number of concurrent connections you want to allow. For this example, we have chosen 2:
Hackers can user port forwarding technique to tunnel network connections through an SSH session to login into systems.
To disable this change the following lines:
AllowTcpForwarding no X11Forwarding no
Log more information
By default, SSH logs everything. If you want to log more information like failed login attempts. you can change the value from
For this change the following line:
Disable empty passwords
You will want to deny login to users with an empty (blank) password.
By default this option is disabled, if not then change the following line:
Set idle timeout interval
SSH allows users to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.
You can set the number of seconds by adding the following line:
ClientAliveInterval 300 ClientAliveCountMax 0
Restart SSH for the changes to take effect
Once you have finished editing the
/etc/ssh/sshd_config file, save and exit the fire, then restart the SSH server:
sudo service ssh restart
Secure SSH using TCP wrappers
TCP wrapper provides host-based access control to network services, which is used to filter network access to the internet.
You can allow SSH only from the IP addresses 192.168.1.100 and 172.16.20.10 IP's by editing the
sudo nano /etc/hosts.allow
Add the following line:
sshd : 192.168.1.100 172.16.20.10
Secure SSH using iptables
You can restrict SSH connection to only allow authorized IP addresses.
To allow SSH connections only from 192.168.1.200 run the following command:
sudo iptables -A INPUT -p tcp -m state --state NEW --source 192.168.1.200 --dport 8908 -j ACCEPT
To disable SSH connection from all other hosts run the following command:
sudo iptables -A INPUT -p tcp --dport 8908 -j DROP
Now save your new rules using following command:
sudo iptables-save > /etc/iptables/rules.v4