Improving SSH Security on Linux

This is a quick post to inform you of some ways to keep your Linux machines well protected from hackers and bots. Today I realised some of these so called hackers had been brute forcing my web servers for the last few days; luckily they didn't prevail but it got me thinking. I'm going to tell you the steps I took to secure my server even further than it already was, and hopefully help you avoid the same troubles.


Deny Root Logins
This might seem like an obvious one, but most servers allow root logins by default. There are no reasons that anyone should be remote logging in using root account. Leaving this account open for logins is very dangerous and allows for easy brute force attacks to guess your password. The best part about this option is it's extremely easy. Use your favourite editor to open /etc/ssh/ssh_config and change PermitRootLogin to no. Make sure at least one other user on your machine has SSH if you are currently logging in as root as you won't be able to log back in after restarting the SSH daemon otherwise.

Limit Login Attempts
By limiting the amount of failed authentication attempts you are stopping bots from repeatedly attacking your connection and maybe eventually guessing your password. Again, this is a very easy change. Inside /etc/ssh/ssh_config change MaxAuthTries to 5. Any more than 5 wrong password attempts is almost definitely a hacking attempt, don't set the number too low or if you accidentally forget your password, or miss a key or too while typing like a maniac you may find yourself locked out of your own machine.

Use Keys instead of Passwords
If you're new to linux you may not know what keys are, but trust me, you want to. Keys allow you to login to your server without a password. “OH NO!?” I hear you say? Thankfully it's not as simple as that, access will be permitted to users who posses your private key file, which you must guard with your life! No need to remember long complex passwords, although it's still recommended, and it means hackers can't ever guess your password because your machine won't even be checking for them without this special key. First of all you're going to need to generate a key pair. Simply run the command below

$ ssh-keygen -v -t rsa

You will see an output similar to

Generating public/private rsa key pair.
Enter file in which to save the key (.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
18:c3:71:2d:56:13:e7:ff:34:e5:19:f8:2e:af:f3:94 [email protected]

Make sure that the keys you generated are in your home directory inside the .ssh directory. Notice that you are allowed to enter a blank password. This is nice and convinient, but I highly recommend against it, even if it's a simple 8 character password. This is because if your key were to end up in the hands of someone unfortunate then your server's security is now compromised as they can now login as you without a password!

Now to get your key onto your server. The easiest way to do this is to simply inject your new public key into your server's authorized_keys file.

$ cat id_rsa.pub | ssh [email protected] “cat >> ~/.ssh/authorized_keys”

The above command will put your newly generated public key onto the server, meaning you can now login with your private keys. Give this a quick test before you disable password logins to make sure it works.

$ ssh [email protected] -i id_rsa

If that works and you can login then you can go ahead and modify your /etc/ssh/ssh_config file with the below options.

PasswordAuthentication no
ChallengeResponseAuthentication no

Enforce Password Protected Keys
Unfortunately there isn't a way on the server to force using password protected keys, so as the server administrator you must enforce this yourself. Make sure that any user with access to your machine uses a strong password on their keys or else your machine is only as secure as your users private keys and where they are stored.

Change your port number
Another good way to defend against basic attacks is to change your port to something other than 22. Most bots and hackers will only try to attack this port and ignore others, but you can get around this by changing yours. Simply change PortNumber to any number above 1024 as ports below this are reserved for other services. Make sure you update your firewall to allow this new port or else you'll be blocked out, so be warned!

Summary
In all honesty, you will never be 100% secure against hackers if they are determined enough, but you can really make it harder for them and always keep on top of patches and check your logs regularly. There are also tools like DenyHosts which help blacklist hackers before they even get to your server. Feel free to post your own security tips in the comments, or suggest anything I might have missed in my article.