Secure Shell or SSH is a cryptographic (encrypted) network protocol operating at layer 7 of the OSI Model to allow remote login and other network services to operate securely over an unsecured network.
OpenSSH is a premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options. This article explains about important tasks to secure your SSH server setup.
A password is a string of characters that people can use to log on and access files, programs, and other resources. Passwords help ensure that people do not access the server unless they have been authorized to do so. A password can be made up of letters, numbers, symbols, and spaces. It should be easy to remember and unique according to you but not easy to guess for others. Don’t use `admin123` or `admin` etc.
The default Post of the SSH administration is 22, you ought to change that to make it more subtle that your server is running a SSH administration.The SSH configuration file is placed in /etc/sshd/ directory, you have to edit the config file /etc/ssh/sshd_config. To edit sshd_config file, use the following command –
$ nano /etc/ssh/sshd_config
Search for the “Port” line, the command line should be like this –
Change it to your favorite port numbe,For example, we are using port number as 1337 as shown below-
Please choose a port which is not in use on your server yet.To get a list of ports that are currently in use with the command as shown below-
$ netstat -ntap
SSH has two protocol versions, the old protocol 1 which is insecure and the new protocol 2. So we should always use protocol2 and it has strong cryptographic integrity check.
You should disable the direct login for the root user because there are many brute force attacks against the name of the root superuser. Alternatively, user should login for the root user from command line.To disable root login, use the following line in /etc/ssh/sshd_config file.
You should add a new user for login to your server. Assume that you have created the users tutorialspoint and linux to login to your server, then you can add the new line in /etc/ssh/sshd_config file.
AllowUsers ruiko mikoto
We strongly recommended this option to secure openSSH rather then using password based authentication.First you have to create a public-private key pair on your local computer as shown below –
$ssh-keygen -t rsa -b 4096
The sample output should be like this –
Generating public/private rsa key pair. Enter file in which to save the key (/home/linux/.ssh/id_rsa): Created directory '/home/linux/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/linux/.ssh/id_rsa. Your public key has been saved in /home/linux/.ssh/id_rsa.pub. The key fingerprint is: 4a:a1:22:b4:e8:79:12:19:1e:a0:30:ee:93:db:cd:a1 linux@linux The key's randomart image is: +--[ RSA 4096]----+ |+ | |=. | |.= . | |= * . . | |oO. ... S | |..*.+... | | = E o. | | o | | | +-----------------+
It will create 2 files located in ~/.ssh/ directory, id_rsa as private key and id_rsa.pub as the public key. If it prompts for a password, you can leave it blank or type to your password. Using a password to protect your key is recommended.Now upload the public key id_rsa.pub to your server with ssh-copy-id command as shown below-
$ssh-copy-id -i ~/.ssh/id_rsa.pub user@serverip
It writes your public key to the file ~/.ssh/authorized_keys/ in your server.Now open /etc/ssh/sshd_config file and un-commented following line.
Now restart your ssh server with the following command –
$sudo systemctl restart sshd
Finally connect to your server with the following command –
$ssh -p '4422' 'user@serverIP'
Congratulations! Now, you know “OpenSSH Security Best Practices”. We’ll learn more about these types of commands in our next Linux post. Keep reading!