Openssh security best practices

Secure Shell or SSH is a cryptographic (encrypted) network protocol operating at layer 7 of the OSI Model to allow remote login and other network services to operate securely over an unsecured network.

OpenSSH is a premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options. This article explains about important tasks to secure your SSH server setup.

Use a Strong Password

A password is a string of characters that people can use to log on and access files, programs, and other resources. Passwords help ensure that people do not access the server unless they have been authorized to do so. A password can be made up of letters, numbers, symbols, and spaces. It should be easy to remember and unique according to you but not easy to guess for others. Don’t use `admin123` or `admin` etc.

Change the SSH Default Port

The default Post of the SSH administration is 22, you ought to change that to make it more subtle that your server is running a SSH administration.The SSH configuration file is placed in /etc/sshd/ directory, you have to edit the config file /etc/ssh/sshd_config. To edit sshd_config file, use the following command –

$ nano /etc/ssh/sshd_config

Search for the “Port” line, the command line should be like this –

Port 22

Change it to your favorite port numbe,For example, we are using port number as 1337 as shown below-

Port 1337

Please choose a port which is not in use on your server yet.To get a list of ports that are currently in use with the command as shown below-

$ netstat -ntap

Always use protocol2

SSH has two protocol versions, the old protocol 1 which is insecure and the new protocol 2. So we should always use protocol2 and it has strong cryptographic integrity check.

Disable Root Login

You should disable the direct login for the root user because there are many brute force attacks against the name of the root superuser. Alternatively, user should login for the root user from command line.To disable root login, use the following line in /etc/ssh/sshd_config file.

PermitRootLogin no

Limit User

You should add a new user for login to your server. Assume that you have created the users tutorialspoint and linux to login to your server, then you can add the new line in /etc/ssh/sshd_config file.

AllowUsers ruiko mikoto

Use Key Based Authentication

We strongly recommended this option to secure openSSH rather then using password based authentication.First you have to create a public-private key pair on your local computer as shown below –

$ssh-keygen -t rsa -b 4096

The sample output should be like this –

Generating public/private rsa key pair.
Enter file in which to save the key (/home/linux/.ssh/id_rsa):
Created directory '/home/linux/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/linux/.ssh/id_rsa.
Your public key has been saved in /home/linux/.ssh/
The key fingerprint is:
4a:a1:22:b4:e8:79:12:19:1e:a0:30:ee:93:db:cd:a1 linux@linux
The key's randomart image is:
+--[ RSA 4096]----+
|+                |
|=.               |
|.= .             |
|= * . .          |
|oO. ... S        |
|..*.+...         |
| = E o.          |
| o               |
|                 |

It will create 2 files located in ~/.ssh/ directory, id_rsa as private key and as the public key. If it prompts for a password, you can leave it blank or type to your password. Using a password to protect your key is recommended.Now upload the public key to your server with ssh-copy-id command as shown below-

$ssh-copy-id -i ~/.ssh/ user@serverip

It writes your public key to the file ~/.ssh/authorized_keys/ in your server.Now open /etc/ssh/sshd_config file and un-commented following line.

AuthorizedKeysFile %h/.ssh/authorized_keys

Now restart your ssh server with the following command –

$sudo systemctl restart sshd

Finally connect to your server with the following command –

$ssh -p '4422' 'user@serverIP'

Congratulations! Now, you know “OpenSSH Security Best Practices”. We’ll learn more about these types of commands in our next Linux post. Keep reading!

Lakshmi Srinivas
Lakshmi Srinivas

Programmer / Analyst / Technician

Updated on: 18-Oct-2019


Kickstart Your Career

Get certified by completing the course

Get Started