Making your SSH service secure

SSH is extremely versatile and can be used to both mange your server and copy files to your server. Unless you have a real good reason to be using FTP still you really shouldn’t be (and you certainly shouldn’t be using telnet any more!)

It’s certainly worth taking some time to make sure your SSH service is secure and there is plenty you can do to accomplish this.

Here’s what I do with my servers plus some links to other things that you can do.

1 – Make sure you are running the latest version of the SSH daemon software

2 – Install denyhosts

Denyhosts can be configured to stop accepting connections from IP addresses that have made too many failed login attempts. It is configurable so you can specify how many failed login attempts to allow before the host is blocked, how long the host is blocked for … 

You can also whitelist your IP address if you’re worried about locking yourself out by adding it to the /etc/hosts.allow file

3 – Disable root logins via SSH

This is a really good one to do. At least half the brute force attempts to my SSH servers try and login as root. You can do this by changing –

"PermitRootLogin yes" to "PermitRootLogin no"

in the file /etc/ssh/sshd_config

4 – Only allow certain users to connect via SSH

This one’s pretty straight forward – only allow users you specify to connect via SSH. Just add this line to /etc/ssh/sshd_config

AllowUsers bob

5 – Make sure you’re running version 2 of SSH

Make sure that the following line is in your /etc/ssh/sshd_config file

Protocol 2

6 – Use good strong passwords!

Personally I feel confident that my server is pretty secure (as far as SSH goes) after doing the above, but there is a whole bunch of other stuff you can do if you feel differently!

7 – Change the port that SSH listens on – see here for info

Personally I don’t think this adds much because if someone wants to break in to your server a simple port scan will probably reveal the port SSH is listening on. It will certainly prevent a lot of the script kiddies appearing in your logs though

8 – Using public keys to login instead of passwords – see here for info

Remember, if you decide to do this you changes the security from something you know to something you have. You’ve got to make sure that you keep your private key secure. You can add a passphrase to your key to make it more secure (but less convenient)

9 – Use iptables to allow connections to SSH only from certain IP addresses

This could be useful if you always access your servers from a computer with a fixed IP address.

10 – Port knocking – see here for info

Now you’re really getting serious about protecting SSH!

There are lots more settings you can tweak in the /etc/ssh/sshd_config file to customize what people can do via SSH once they are logged on to your server. I would definitely be worth looking into this if you provide shell access to your users.