Learn how to harden SSH for Linux, such as the AlmaLinux 8 on your VPS cloud server.
Summary
- Create a Scalable VPS with AlmaLinux 8
- Connect to your VPS Cloud Server via SSH
- SSH Hardening commands
- 5 SSH hardening tips
SSH Hardening
- For SSH hardening, you will be editing and saving the file /etc/ssh/sshd_config using the following command. Nano is used as the text editor of choice:
nano /etc/ssh/sshd_config
- Every time you are done with editing the above file, press Ctrl + X to save and exit, then execute this command to restart sshd:
systemctl restart sshd
Five SSH hardening tips
Let us explore the 5 SSH hardening tips you can implement based on editing the file /etc/ssh/sshd_config.
1. Set an idle timeout
It is a good practice to sign out of SSH on inactivity. If you wish to set an idle timeout of 5 minutes (300 seconds), look for:
#ClientAliveInterval 0
Change that to:
ClientAliveInterval 300
2. Limit maximum authentication attempts
It is a good practice to prevent brute force attempt by imposing a limit on the maximum authentication attempts, such as 3 times. Look for the line:
#MaxAuthTries 6
Change that line to:
MaxAuthTries 3
3. Change SSH Port number
You may wish to change your SSH port number to anything other than the default Port 22, for instance Port 1022. To do so, look for the line:
#Port 22
Change that line to:
Port 1022
Remember to enable this new port on your firewall, restart your firewall and attempt to login with a new SSH session before you disconnect your existing SSH session.
4. Disable tunneling & forwarding
SSH tunnels allow connections made to a local port (in this context your VPS cloud server) to be forwarded to a remote machine via a secure channel. Since you are unlikely to be using this feature, you can disable several miscellaneous options related to tunneling and forwarding. To do so, look for these lines:
#AllowAgentForwarding yes #AllowTcpForwarding no #PermitTunnel no
Change these lines to:
AllowAgentForwarding no AllowTcpForwarding no PermitTunnel no
5. Use passwordless, public key authentication for SSH
You should first generate your public key on your desktop computer. If you are using Windows with OpenSSH Client, you can use the command “ssh-keygen” within Command Prompt to do so. Otherwise you can generate SSH keys using PuTTYgen. If you are using MacOS or Linux computers, use the command “ssh-keygen” within your Terminal Console.
Connect to your VPS cloud server and run this command:
nano /.ssh/authorized_keys
Paste your public key into the file within 1 row. Save this file. Now, you can connect to SSH again this time using your private key. Once it is working, you should edit /etc/ssh/sshd_config, paste these two rows at the bottom of the file:
PasswordAuthentication yes PubkeyAuthentication yes
If you happen to lock yourself out of SSH for any reasons, do not worry, you can still access to your server via VNC to fix the SSH login issue.
Conclusion
It is very important to harden SSH for Linux. After all, you would not want to perform all the VPS hardening steps BUT leave the front gates insecure.