Securing SSH access

Sep 04, 2007

So you've got a shiny new server, it's connected to the net, and you (or your hosting company) has done the right thing by turning telnet off and forcing the much more secure option of using SSH to connect. But it doesn't end there, there are quite a few little things you can do to further tighten access and keep the boogey men at bay.

Setting up the server

First things first, lets move it off the default port 22. So many scripted and brute force attacks will try and blast at the defaults, and your memory isn't that bad that you have to stick with them. So pick a number, and edit/update the /etc/ssh/sshd_config file to have the following line:

Port 1022

Next, remove the legacy support for the less secure SSH1 protocol in favor of the newer more robust SSH2 protocol:

Protocol 2

You've already created a user and added yourself to sudoers, so there is no need for the root user to log in directly. Time to disable that. While we are at it, lets stop brute force attacks by reducing the number of incorrect attempts a user gets:

PermitRootLogin no

MaxAuthTries 2

Now onto the client

We can remove the need to enter our server password all the time by pushing our public key onto the server and using that to authenticate. If you already have a public/private key combination you can ignore this next step.

Creating your public/private keys is very straight forward on linux and mac, on windows you'll need to get putty. From the command line:

ssh-keygen -t dsa

This will prompt you for some questions and a passphrase, the default options will be fine. The keys will be saved to ~/.ssh/, so now we will move the contents of the public key up to the server.

cat ~/.ssh/id_dsa.pub | ssh username@server "cat >> .ssh/authorized_keys" 

ssh username@server chmod 600 .ssh/authorized_keys

Be sure to replace username and server with the appropriate values for the server we are setting up. Now you should be free to SSH onto the server, without a password!

Back to the server

Now that you don't need a password to get into the server, we can prevent people from trying to use one. We can also restrict the users that are permitted to access while we are at it. So back into /etc/ssh/sshd_config and update/edit the following lines:

PasswordAuthentication no

ChallengeResponseAuthentication no

AllowUsers username

Again being sure to change username to your username. Additional users can be entered, separated with a space. All done and dusted? Restart the SSH daemon:

sudo /etc/init.d/sshd reload

Hi, I'm Glenn! 👋 I've spent most of my career working with or at startups. I'm currently the Director of Product @ Ockam where I'm helping developers build applications and systems that are secure-by-design. It's time we started securely connecting apps, not networks.

Previously I led the Terraform product team @ HashiCorp, where we launched Terraform Cloud and set the stage for a successful IPO. Prior to that I was part of the Startup Team @ AWS, and earlier still an early employee @ Heroku. I've also invested in a couple of dozen early stage startups.