top of page

Protect SSH Server in Ubuntu

The SSH server is an encrypted program that uses the SSH protocol to allow users the authority to access other machines’ services securely. However, like other servers, the SSH server may become prone to unauthorized access; thus, it’s necessary to secure the SSH server before using it for remote desktop connections.


To perform the SSH configuration, you will first need to check whether an SSH server is installed on your system. If it’s not, execute the following command:

​$ sudo apt install openssh-server

After the installation, open the SSH configuration file with the name “sshd_config” placed in the “/etc/ssh” directory, but, we highly recommend you create the configuration file backup using the following command:

$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Now open the SSH configuration file:

​sudo nano /etc/ssh/sshd_config

Disable Password-Based Authentication - Uncomment the line and replace “yes” with “no”.

Now, save the file using the keys “Ctrl+X”, add “Y” and press Enter.

​# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no

Denying Empty Password - To perform this step, locate the line “PermitEmptyPasswords” and uncomment it.

# To disable tunneled clear text passwords, change to no here!

PermitEmptyPasswords no

Permitting Root Login - To do this, find the option “PermitRootLogin”, uncomment the line and replace the text “prohibit-password” with “no”.

​# Authentication:

PermitRootLogin no

SSH Protocol 2 - Protocol 2 has more advanced security features than Protocol 1, so if you want to use that, you will need to add the line “Protocol 2” to the configuration file as shown below.

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented. Uncommented options override the

# default value.

Protocol 2

Include /etc/ssh/sshd_config.d/*.conf

Setting a Session Timeout - If the user stays away from his system for 200 seconds, it will automatically log out.

​ClientAliveInterval 200

Allow specific user to access the Server - You can also secure the SSH server by allowing only the specific user to access it.

AllowUsers STENGE

Limit the number of login attempts - To perform this step, locate the “MaxAuthTries” variable.

# Authentication:

MaxAuthTries 4

PermitRootLogin no

Running the server in Test Mode - ensure that the above configurations we have made are correct

​$ sudo sshd –t

Reloading the SSH server - make the changes to your Ubuntu system.

$ sudo service sshd reload

Opening the Authorized_keys File - this step requires you to execute some SSH sessions to generate your SSH keys in the file. After some SSH sessions, open the authorization file using the following command:

​$ sudo nano ~/.ssh/authorized_keys

After opening the authorized_keys file, you can have five options to achieve advanced-level security. These options are as follows:


no-agent-forwarding

no-user-rc

no-pty

no-port-forwarding

no-X11-forwarding


Now, if you want to use any of the above options for a single SSH key. For example, if you want a no-agent forwarding option for the desired SSH key, you can do this using the following syntax:

no-agent-forwarding <DesiredSSHKey>

In the above syntax, replace the DesiredSSHKey with an actual key stored inside the authorized_keys file. Once the above changes are done, you can save the file, and the SSH server will automatically read it as you don’t need to reload the server.




25 views0 comments

Recent Posts

See All

Shell Genie is a new command line tool that can be used to ask how to perform various tasks, and it gives you the shell command you need. To generate the commands, it uses OpenAI's GPT-3 or Free Genie

BusyBox is a collection of Linux system utilities that are combined into a single executable. It is designed to be run on devices with limited resources such as routers, embedded systems, and other si

Shred is a program that will overwrite your files in a way that makes them very difficult to recover by a third party. Normally, when you delete a file, that portion of the disk is marked as being rea

bottom of page