ssh is just about the most secure way you can provide access to a system. But even ssh is subject to attacks. You can reduce the likelihood of a breach even further with a few fairly simple steps. The specifics below are for Ubuntu 16.04, but the principles are the same for any modern Unix.
The most obvious step is not to have ssh open to the world unless you really need it!
If you have an ssh server running on your system, but don’t need ssh access to that system, either uninstall the ssh server or disable it. To disable the server, just run
systemctl disable ssh, then
killall sshd to stop any running sessions.
To remove the server altogether, use your package manager; on Ubuntu it would be
apt-get purge openssl-server. Don’t uninstall
ssh; you’ll lose the client as well and you probably don’t want to do that.
But assuming that you do need ssh access to your system, here are some things you should do to lock it down. In rough order of goodness:
- Turn off password access; require a publickey login. To do this, edit
/etc/ssh/sshd_configand set “PasswordAuthentication” to “no”.
- Move ssh to a different port. Choose a random number between 1024 and 65000 and put ssh on that port. To do this, edit
/etc/ssh/sshd_configand set “Port” to your chosen port number. Numbers like 2222 are not random…
- Don’t permit root logins. People should log in as an ordinary user, then use
sudoto get root access. To force this, edit
/etc/ssh/sshd_configand set “PermitRootLogin” to “no”.
- Allow access only for accounts on your system that need it. To do this, edit
/etc/ssh/sshd_configand set “AllowUsers” to a space-delimited set of acceptable usernames. Any username not in the list will be unable to log in.
- Turn off ssh Protocol 1. To do this, edit
/etc/ssh/sshd_configand set “Protocol” to “2”.
- Permit only needed commands. If you only need external access for certain commands, lock ssh down to permitting only those commands. Use the “ForceCommand” and “Match” options in
/etc/ssh/sshd_configto tie particular users, hosts, groups etc down to particular commands only.
- Limit access by IP address. If you will only be logging in from a limited set of other systems, allow ssh logins only from those IP addresses (or subnets). Again, the “Match” command in
/etc/ssh/sshd_configis your friend here. Remember to limit both IPv4 and IPv6.
- Limit access by time of day. If you know you will only be logging in at certain times of the day or on certain days, turn off ssh access outside those times. This is most easily done via
cron– just run
systemctl stop sshto turn off ssh access, and
systemctl start sshto turn it back on. Remember that stopping the service will not stop existing sessions! If you want to do that, run
killall sshdafter stopping the service.
- Limit access by address family. If you are IPv6 capable, turn off IPv4 access. To do this, edit
/etc/ssh/sshd_configand set “AddressFamily” to “inet6”.
- Block repeat offenders. Consider setting up something like
sshguard. These can blacklist the IP address of anyone who tries to log in (and fails) too frequently. These programs can protect many other services too. Setting these up is way beyond the scope of this article, but the time spent learning how to do so will stand you in good stead. If you are using IPv6, make sure you are checking for attempts using either protocol.
By the way, if you think your password is safe because it is complicated or unusual – you are probably wrong. Use publickey only, and protect your keys with long, strong passphrases.