How to Harden SSH for Linux

HomeBlogCloud TutorialHow to Harden SSH for Linux
harden ssh for linux

Learn how to harden SSH for Linux, such as the AlmaLinux 8 on your VPS cloud server.

Summary

SSH Hardening

  1. For SSH hardening, you will be editing and saving the file /etc/ssh/sshd_config using the following command. Nano is used as the text editor of choice: 
    nano /etc/ssh/sshd_config
  2. Every time you are done with editing the above file, press Ctrl + X to save and exit, then execute this command to restart sshd: 
    systemctl restart sshd

Five SSH hardening tips

Let us explore the 5 SSH hardening tips you can implement based on editing the file /etc/ssh/sshd_config.

1. Set an idle timeout

It is a good practice to sign out of SSH on inactivity. If you wish to set an idle timeout of 5 minutes (300 seconds), look for:

#ClientAliveInterval 0

Change that to:

ClientAliveInterval 300

2. Limit maximum authentication attempts

It is a good practice to prevent brute force attempt by imposing a limit on the maximum authentication attempts, such as 3 times. Look for the line:

#MaxAuthTries 6

Change that line to:

MaxAuthTries 3

3. Change SSH Port number

You may wish to change your SSH port number to anything other than the default Port 22, for instance Port 1022. To do so, look for the line:

#Port 22

Change that line to:

Port 1022

Remember to enable this new port on your firewall, restart your firewall and attempt to login with a new SSH session before you disconnect your existing SSH session.

4. Disable tunneling & forwarding

SSH tunnels allow connections made to a local port (in this context your VPS cloud server) to be forwarded to a remote machine via a secure channel. Since you are unlikely to be using this feature, you can disable several miscellaneous options related to tunneling and forwarding. To do so, look for these lines:

#AllowAgentForwarding yes
#AllowTcpForwarding no
#PermitTunnel no

Change these lines to:

AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no

5. Use passwordless, public key authentication for SSH

You should first generate your public key on your desktop computer. If you are using Windows with OpenSSH Client, you can use the command “ssh-keygen” within Command Prompt to do so. Otherwise you can generate SSH keys using PuTTYgen. If you are using MacOS or Linux computers, use the command “ssh-keygen” within your Terminal Console.

Connect to your VPS cloud server and run this command:

nano /.ssh/authorized_keys

Paste your public key into the file within 1 row. Save this file. Now, you can connect to SSH again this time using your private key. Once it is working, you should edit /etc/ssh/sshd_config, paste these two rows at the bottom of the file:

PasswordAuthentication yes
PubkeyAuthentication yes

If you happen to lock yourself out of SSH for any reasons, do not worry, you can still access to your server via VNC to fix the SSH login issue.

Conclusion

It is very important to harden SSH for Linux. After all, you would not want to perform all the VPS hardening steps BUT leave the front gates insecure.

Share :
Tags :,   

Related Post
  • July 21, 2021

How to Install & Configure TrueNAS (formerly FreeNAS)

  • July 11, 2021

How to Install WordPress with Docker

  • July 7, 2021

How to configure static IPv6 address on AlmaLinux?

  • June 29, 2021

How to Install MariaDB with Docker

  • June 28, 2021

How to Install Docker on AlmaLinux 8