SSH, an abbreviation of Secure Shell, is a protocol used to secure communication between two devices in an insecure network channel. It supports a wide range of encryption technology including custom made ones.
SSH server is an application which uses SSH protocol to establish connection from remote clients. There are different options available for ssh server but OpenSSH, an abbreviation for OpenBSH Secure Shell which was developed by OpenBSD developers and distributed under open source license, is the most popular and widely used ssh server in linux.
One should note that after successful installation of SSH server, there is two main config files under the main ssh config directory, viz; ssh_config and sshd_config. The two files represent client and server setting respectively.
sshd_config: Any settings defined inside this file is used by the ssh server running in the host as default. For example, if port 2233 is defined inside the file as non-default port, the ssh server will only listen in the defined port for the connection from client
ssh_config: Entries in this file is used as defaults by ssh client for any remote connection. For example, if port 2211 is defined to be used for ssh in this file, any new connection to remote ssh server will be initiated on 2211 port by default.
Securing SSH server
There are a bunch of measures one can take for hardening SSH server security.
Disable root access
It is no surprise that an ssh server accepting connection in wild i.e. the internet is hit by a number of uninvited guests, human or bot. As a result, allowing a omnipresent linux superuser account root access is just a one password crack away disaster waiting to happen. This can be prevented by disabling root use access to ssh server and using non-default user to login and later switch to root. This can be done by setting following parameter in ssh config file:
Use non-default port
Similar to default user, ssh server listens to default port 22 unless defined otherwise. Anyone trying to hit an ssh server will attempt their first attack on default port 22. So, it is a good practice to use any non-default port for ssh connection. This can be defined using the following parameter:
Disable empty password
Using empty password should be completely discouraged for obvious reason and this can be done by setting following value:
Enforce IP based access
This is a robust method to secure an ssh server. By defining this parameter, all connection request from IPs except the ones defined is dropped by the ssh server. This can be implemented by defining value as follows:
Use passwordless login
SSH supports login using public-private key authentication method. Following steps can be used to setup ssh keys for connection:
On client machine, run:
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/<username>/.ssh/id_rsa):
After running the command, the tool will ask for the location to save the keys which will be stored at ~/.ssh directory. This will generate private key, id_rsa, and public key, id_rsa.pub. It will also ask if you want to use a passphrase for authentication and if provided will ask for the passphrase on every login attempt.
Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/infokonn/.ssh/id_rsa. Your public key has been saved in /home/infokonn/.ssh/id_rsa.pub. The key fingerprint is: SHA256:8OVEF6bnTZ5XGRD9i1efr4kNxVSmHJju6Q7oWbURZlQ firstname.lastname@example.org The key's randomart image is: +---[RSA 2048]----+ | . =BE.o| | . =o. *o| | . +.= =.o| | o + =.B .+| | S ..+.B *| | . .o= =.| | . o.o . .| | . o ..+ ..| | o .o +. | +----[SHA256]-----+
If you list the files in your location, you will find the two keys:
$ ls .ssh
Copy public key to ssh server
After the successful key generation, the public key should be copied to the ssh server’s key directory, usually .ssh as authorized_keys
$ scp ~/.ssh/id_rsa.pub user@ssh-server:~/.ssh/authorized_keys
This can be also be done using the utility SSH-Copy-ID
$ ssh-copy-id user@ssh-server
After this, try login into ssh server and you will be able to login without a password or using passphrase if you used one.
Since you don’t need to enter password anymore, disable the password authentication so that you can login using just the keys or passphrase in future by setting following value in ssh configuration:
Finally, restart the ssh server after making changes to the configuration files so that the new settings will be applied.