5 Tips to Harden SSH Server
In this tutorial, we will be looking at securing SSH server from unauthorized access. SSH is the primary way to remote into Linux VPS or cloud servers and also one of the primary attack vector by bad guys. It’s important that we secure it as much as possible.
Your SSH Server is Being Attacked
Run the following command on your Linux server and you will see how often malicious people are trying to get SSH access to your server. To be honest, some of my SSH servers are being attacked every minute.
sudo journalctl -xe | grep sshd
It’s very common for bad guy to brute-force attack the root user password. Here’s a snippet output of the above command on my Linux server.
sshd: Failed password for invalid user root from 18.104.22.168 port 42803 ssh2 sshd: Failed password for invalid user root from 22.214.171.124 port 42803 ssh2 sshd: Failed password for invalid user root from 126.96.36.199 port 42803 ssh2 sshd: Received disconnect from 188.8.131.52: 11: [preauth] sshd: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=184.108.40.206 user=root
Below are 5 tips to harden your SSH server against attacks.
Tip #1: Disable Root SSH Login
It’s a very bad idea to allow root user to login via SSH. It’s no secret that every Linux system has a user named root. Your server is vulnerable to brute-force attack if root is able to login via SSH. Instead, we can create another user that have the ability to SSH login and disable root SSH login. Thus, the attacker has to figure out both the user name and password.
useradd to create another user. Replace newuser with your preferred user name.
set a password for the user:
Verify that this new user can login via SSH and is able to use
su - command to switch to root user. Then edit the SSH daemon configuration file.
Find the following line:
Change it to the following which disables root SSH login
Also add the following line at the end of this file. This line ensures the new user can login via SSH.
Save and close this file. Then restart SSH service
systemctl restart sshd
From here on out, only the new user can login via SSH and after that this user can switch to root using
su - command.
If an attacker tries to login as a user with SSH disabled (such as root), you will see the following line in your SSH log.
Failed password for invalid user root
invalid means the user doesn’t exist on the system or has no SSH login permission. If a user who has SSH login permission typed a wrong password, then you will see a line like:
Failed password for the-username
Tip #2: Change SSH Listening Port
By default, SSH server listens on port 22. Although some say that crackers can use port scanner such as
nmap to figure out what port SSH daemon listens on, but after changing the listening port of SSH, it almost eliminated all attacks against SSH on my server.
To change the SSH listening port, edit the SSH daemon configuration file.
Find this line:
You can change the port to whatever port your like, just make sure that other programs on the server is not using the port. Typically you want to change it to a port between 1 and 1024.
Save and close the file. Then restart SSH.
systemctl restart sshd
When using SSH client, you need to specify the new port like below.
ssh [email protected] -p new-port-number
You also need to specify the new port when using
Tip #3: Scare Them Away
When the user tries to login via SSH, we can show a warning message to the user that if they are not authorized, they should go away. Or they will be prosecuted.
To show a warning message, edit the SSH daemon configuration file.
Find the following line:
Remove the pound sign (#). Then change none to a text file on your server like below.
/etc/banner file, we can add a warning message like the following. You can be creative and show your preferred message to bad guys.
**************************************************************************** This computer system is for authorized users only. All activities are logged and regularly checked. Unauthorized use of the system will be prosecuted to the extent of law. ****************************************************************************
Save the configuration file, then restart SSH service.
Tip #4: Restrict IP Addresses Using Firewall
The IP address of your home computer is most likely a dynamic IP address. Servers on the other hand have fixed IP address. On a public-facing SSH server, we can configure iptables firewall to allow certain IP addresses to connect to SSH server and deny all other IP addresses. Having more than one server makes it easy for you to restrict IP addresses because servers have fixed IP address.
Try to find some low-end Linux VPS.
As a matter of fact, I have a single-core, 128MB Linux VPS for $6 per year, a single-core 512MB Linux VPS for $10 per year. They are not meant for hosting my Web site but for other purposes like backup server or email server. They also help me to implement IP address restriction in OpenSSH server. I don’t ssh into my main Linux server directly from my desktop computer. What I do is ssh into one of my low-end Linux VPSs and then from there ssh into my main Linux server.
I recommend finding at least two low-end Linux VPSs from different hosting providers, then add these fixed IP addresses to the allow list of OpenSSH server in case one of your hosting providers shut down their business.
Using iptables Firewall to restrict IP
To prevent the current SSH connections drops out, we need to allow established sessions with the following iptables command.
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Then allow your own IP address to connect to the SSH port with the below command. Replace your-ip-address with your real IP address such as 220.127.116.11.
sudo iptables -A INPUT -p tcp --dport 22 -s your-ip-address -j ACCEPT
Let me explain this command.
-A INPUTis used to append the above rule to the INPUT chain which deals with incoming traffic.
-p tcpspecifies the protocol is TCP since SSH daemon listens on TCP port.
--dport 22specifies the destination port is 22 which is the default SSH port. If you changed your SSH port, then you also need to adjust the port here.
-s your-ip-addressspecifies the source IP address.
-j ACCEPTmeans jump to the ACCEPT target which will allow this SSH connection.
You can add multiple firewall rules to allow multiple IP addresses.
After that’s done, reject all other IP addresses to connect to your SSH server. In the below command, we didn’t specify the source IP address which means all other IP addresses will be disallowed.
sudo iptables -A INPUT -p tcp --dport 22 -j REJECT
Check iptables firewall rules with the below command.
sudo iptables -L
If later you want to add a new IP address to the allowed list, then you need to insert a new rule.
sudo iptables -I INPUT -p tcp --dport 22 -s your-ip-address -j ACCEPT
-I option is used to insert the above firewall rule to the INPUT chain. By default, it will insert the above rule as the first rule in the INPUT chain. Note that if we append this new rule to the bottom of INPUT chain, then this rule has no effect because it comes after the “reject all other IP” rule.
Remember that iptables firewall rules by default are not persistent across reboots. If you accidentally locked yourself out by iptables firewall, you just need to reboot your server in the control panel of your hosting provider to reset iptables firewall rules.
Tip #5: Enable PrintLastLog
PrintLastLog is used to tell you when did the last login happened and from what IP address. You can see it after you ssh into your server. It looks something like this:
Last login: Thu Jun 2 04:10:08 2016 from 18.104.22.168
If you don’t recognize the IP address then you know something is not right. To enable PrintLastLog, edit SSH daemon configuration file.
Find this line:
Remove the pound sign. Save the file and restart SSH service.
Comments, questions or suggestions are always welcome. If you think this post is useful, 🙂 share it with your friends on social media. This is the first part of hardening SSH server. Stay tuned for the second part.