Listen to this Post
OpenSSH is the implementation of the SSH protocol, widely used for secure remote login, file transfers (via scp/sftp), and encrypted communications. Properly securing your OpenSSH server is crucial to prevent unauthorized access and exploits. Below are key security practices along with practical commands and configurations.
You Should Know:
1. Disable SSH Protocol 1
Older SSHv1 is insecure. Edit `/etc/ssh/sshd_config`:
Protocol 2
2. Change Default SSH Port (22)
Reduce brute-force attacks by changing the port:
Port 2222
Update firewall rules (`iptables`/`ufw`):
sudo ufw allow 2222/tcp
3. Disable Root Login
Prevent direct root access:
PermitRootLogin no
4. Use Key-Based Authentication
Generate SSH keys:
ssh-keygen -t ed25519
Copy the public key to the server:
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server -p 2222
5. Enable Two-Factor Authentication (2FA)
Use Google Authenticator:
sudo apt install libpam-google-authenticator google-authenticator
Update `/etc/ssh/sshd_config`:
ChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactive
6. Restrict User Access
Allow only specific users:
AllowUsers user1 user2
7. Enable Fail2Ban for SSH Protection
Install and configure Fail2Ban:
sudo apt install fail2ban sudo systemctl enable --now fail2ban
Configure `/etc/fail2ban/jail.local`:
[bash] enabled = true port = 2222
8. Set Idle Timeout Interval
Disconnect inactive sessions:
ClientAliveInterval 300 ClientAliveCountMax 0
9. Disable Empty Passwords
PermitEmptyPasswords no
10. Use Strong Ciphers & MACs
Enforce modern encryption:
Ciphers [email protected],[email protected],[email protected] MACs [email protected],[email protected]
11. Limit SSH Access via Firewall
Restrict SSH to trusted IPs (`iptables` example):
sudo iptables -A INPUT -p tcp --dport 2222 -s 192.168.1.100 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 2222 -j DROP
12. Disable X11 Forwarding (If Not Needed)
X11Forwarding no
13. Monitor SSH Logs
Check failed login attempts:
sudo grep "Failed password" /var/log/auth.log
14. Disable SSH Agent Forwarding
AllowAgentForwarding no
15. Regularly Update OpenSSH
Always keep OpenSSH updated:
sudo apt update && sudo apt upgrade openssh-server
16. Use TCP Wrappers for Extra Security
Restrict access via `/etc/hosts.allow`:
sshd: 192.168.1.0/24
17. Disable Password Authentication (Use Keys Only)
PasswordAuthentication no
- Restrict SFTP Users to Their Home Directory
Configure chroot in `/etc/ssh/sshd_config`:
Match Group sftpusers ChrootDirectory /home/%u ForceCommand internal-sftp AllowTcpForwarding no
19. Enable Logging for SSH Attempts
LogLevel VERBOSE
20. Harden System Kernel Parameters
Edit `/etc/sysctl.conf`:
net.ipv4.tcp_syncookies=1 net.ipv4.conf.all.rp_filter=1
Apply changes:
sudo sysctl -p
What Undercode Say:
Securing OpenSSH is critical for protecting remote server access. Implementing key-based authentication, disabling root login, and using strong encryption significantly reduce attack surfaces. Regular audits, firewall rules, and monitoring logs ensure ongoing security. Always keep OpenSSH updated to patch vulnerabilities.
Expected Output:
A hardened OpenSSH server with minimized exposure to brute-force attacks, unauthorized access, and exploits.
Reference: cyberciti.biz
References:
Reported By: Activity 7314731974449872896 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
