Secure SSH on our server
One of the most common methods to access our server (whether dedicated or a VPS server ) is through an SSH ( Secure Shell ) connection, so in my opinion it is necessary to secure SSH on our server to avoid security problems .
Most hosting companies provide SSH access for their dedicated servers and VPS because it allows you to manage the server completely using commands. SSH has the advantage that it uses encryption techniques to establish communication between client and server, thus preventing third parties from obtaining confidential data such as our username, password, personal photos, files with important information, etc …
It is well known by hackers that SSH is the most used method to access a server and therefore is one of its main objectives when auditing the security of a server. For this reason we must ensure SSH access to our server, which we will achieve by following the different basic tips of this article and thus prevent our SSH connection from being compromised.
One of the big security problems that affect SSH and many other remote connection programs is to keep the default values. As a general rule, the default values ??are safe, but if we change them we will achieve a considerable improvement in security.
In the article all commands have been tested under Ubuntu and Debian, in other distributions you may have to look for equivalent commands but the concepts to ensure SSH are the same for any distribution .
How to secure SSH on VPS or dedicated server
To implement the advice to ensure SSH, the first thing is to locate the configuration file of the SSH server that we can usually find in the path:
Change the access SSH port.
This measure should be put into practice on every server, since if they do not know the SSH port, they will hardly be able to establish a connection with the server (although there are methods to discover open ports of our server) .
Normally to access SSH through a client we use port
22 , which is the one that is configured by default. To change the default SSH port, run the following command as root:
We will see that in the first lines we are shown the Port 22 option, we have to edit the port number and change it to another one, for example
10321 , so that the line is Port 10321 and we save the changes with the combination of
CTRL+O keys. When establishing the new port, we must ensure that it is not used by another application (usually ports larger than 10,000 are usually free).
We only have to restart the SSH server with the command:
With these simple steps we can change the SSH port .
Verify that only protocol 2 is enabled.
There are two versions of the SSH protocol , an outdated version known as version 1 and a current version known as version 2 . We must verify in the SSH configuration file that only protocol 2 is enabled. This is achieved by checking that the option exists:
Limit users with access and IP addresses.
We can limit SSH access so that only certain users have access or certain IPs. This restricting the IP can be a problem if our internet provider assigns us dynamic IP, since the IP will change and we can lose SSH access, so be careful when restricting IP.
As always we have to edit the configuration file and use the “AllowUsers” option as follows:
- Allow access to specific user : in this example we will allow SSH access to the user named Juan .
- Allow user access by assigning it to IP : in this example we will see how to allow access to the user Juan only from IP 188.8.131.52
- When we define the IP we can use wildcards , for example:
Limit the number of access retries.
By editing the configuration file we can limit the maximum number of retries that a user will have to access via SSH . To achieve this we will use the Max AuthTries option. In the following example we limit to 3 retries:
Limit the number of login sessions from the same IP
With the option “MaxStartups” we can limit the number of open sessions from the same IP . For example, if we want to limit to 3 sessions per IP, we will use the following configuration line:
Following these five simple tips we will increase the security of our SSH server. I insist that at least following the first step and changing the SSH port is one of the basic steps we should always do to ensure SSH .