Understanding SSH: Secure Your Server Like a Pro!

By /

Listen to this Post

SSH (Secure Shell) is a critical protocol for secure remote access and management of Linux servers. It encrypts all communication between the client and server, preventing unauthorized access and data breaches. Below, we explore key SSH configurations, security practices, and essential commands to harden your server.

Key SSH Security Practices

1. Change the Default SSH Port

By default, SSH runs on port 22, making it a common target for brute-force attacks. Change it to a non-standard port: 

sudo nano /etc/ssh/sshd_config

Find #Port 22, uncomment it, and change to a different port (e.g., Port 2222).

Restart SSH:

sudo systemctl restart sshd

2. Disable Root Login

Prevent direct root access via SSH:

sudo nano /etc/ssh/sshd_config

Set:

PermitRootLogin no

Restart SSH afterward.

3. Use Key-Based Authentication

Generate SSH keys on your local machine:

ssh-keygen -t rsa -b 4096

Copy the public key to the server:

ssh-copy-id -p 2222 user@your_server_ip

Disable password authentication in `/etc/ssh/sshd_config`:

PasswordAuthentication no

4. Enable Fail2Ban for Brute-Force Protection

Install Fail2Ban:

sudo apt install fail2ban -y # Debian/Ubuntu
sudo yum install fail2ban -y # CentOS/RHEL

Configure it for SSH:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Adjust settings under `[sshd]`.

You Should Know: Advanced SSH Commands & Tricks

  • SSH Tunneling (Port Forwarding)

Forward local port `8080` to a remote server:

ssh -L 8080:localhost:80 user@remote_server -p 2222
  • Transfer Files Securely with SCP

Copy a file to a remote server:

scp -P 2222 file.txt user@remote_server:/path/to/destination
  • Check Active SSH Sessions 
    who

Or:

netstat -tnpa | grep 'ESTABLISHED.*ssh'
  • Restrict SSH Access by IP

Edit `/etc/hosts.allow`:

sshd: 192.168.1.100

And block others in `/etc/hosts.deny`:

sshd: ALL

What Undercode Say

SSH remains a fundamental tool for secure server management, but misconfigurations can lead to vulnerabilities. Always:
– Use strong passphrases for SSH keys.
– Regularly update SSH (sudo apt upgrade openssh-server).
– Monitor logs (/var/log/auth.log).
– Employ firewall rules (ufw allow 2222/tcp).

Expected Output:

A hardened SSH setup with:

  • Non-default port (2222).
  • Disabled root login.
  • Key-based authentication.
  • Fail2Ban active.
  • Restricted IP access (if applicable).

Stay secure! 🔒

References:

Reported By: Shubham Sarva – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: