Protect SSH Server in Ubuntu
The SSH server is an encrypted program that uses the SSH protocol to allow users the authority to access other machines’ services securely. However, like other servers, the SSH server may become prone to unauthorized access; thus, it’s necessary to secure the SSH server before using it for remote desktop connections.
To perform the SSH configuration, you will first need to check whether an SSH server is installed on your system. If it’s not, execute the following command:
$ sudo apt install openssh-server |
After the installation, open the SSH configuration file with the name “sshd_config” placed in the “/etc/ssh” directory, but, we highly recommend you create the configuration file backup using the following command:
$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak |
Now open the SSH configuration file:
sudo nano /etc/ssh/sshd_config |
Disable Password-Based Authentication - Uncomment the line and replace “yes” with “no”.
Now, save the file using the keys “Ctrl+X”, add “Y” and press Enter.
# To disable tunneled clear text passwords, change to no here! PasswordAuthentication no |
Denying Empty Password - To perform this step, locate the line “PermitEmptyPasswords” and uncomment it.
# To disable tunneled clear text passwords, change to no here! PermitEmptyPasswords no |
Permitting Root Login - To do this, find the option “PermitRootLogin”, uncomment the line and replace the text “prohibit-password” with “no”.
# Authentication: PermitRootLogin no |
SSH Protocol 2 - Protocol 2 has more advanced security features than Protocol 1, so if you want to use that, you will need to add the line “Protocol 2” to the configuration file as shown below.
# The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. Protocol 2 Include /etc/ssh/sshd_config.d/*.conf |
Setting a Session Timeout - If the user stays away from his system for 200 seconds, it will automatically log out.
ClientAliveInterval 200 |
Allow specific user to access the Server - You can also secure the SSH server by allowing only the specific user to access it.
AllowUsers STENGE |
Limit the number of login attempts - To perform this step, locate the “MaxAuthTries” variable.
# Authentication: MaxAuthTries 4 PermitRootLogin no |
Running the server in Test Mode - ensure that the above configurations we have made are correct
$ sudo sshd –t |
Reloading the SSH server - make the changes to your Ubuntu system.
$ sudo service sshd reload |
Opening the Authorized_keys File - this step requires you to execute some SSH sessions to generate your SSH keys in the file. After some SSH sessions, open the authorization file using the following command:
$ sudo nano ~/.ssh/authorized_keys |
After opening the authorized_keys file, you can have five options to achieve advanced-level security. These options are as follows:
no-agent-forwarding
no-user-rc
no-pty
no-port-forwarding
no-X11-forwarding
Now, if you want to use any of the above options for a single SSH key. For example, if you want a no-agent forwarding option for the desired SSH key, you can do this using the following syntax:
no-agent-forwarding <DesiredSSHKey> |
In the above syntax, replace the DesiredSSHKey with an actual key stored inside the authorized_keys file. Once the above changes are done, you can save the file, and the SSH server will automatically read it as you don’t need to reload the server.