A Practical Guide on Securing SSH on Ubuntu

Posted on July 22nd, 2019

If you manage servers, you have to make sure that your servers are secure enough. The single point of failure in the Ubuntu or Linux systems is SSH. If the SSH service is not secure enough, the risk of getting hacked will increase exponentially. In this practical guide on securing SSH on Ubuntu, I will show you some techniques that you can use to improve the security of your SSH service.

First of all, What is SSH? SSH stands for Secure Shell. We can connect to our server via SSH to manage files, Install packages and update configuration files. That is why it is important to keep our SSH service secure. The default port for SSH service is 22. It means that the SSH service will listen for connections on port number 22 by default.

Securing SSH on Ubuntu is not that hard. There are a few tasks that we have to perform that will mitigate the majority of the SSH-based security issues.

Finally, we can get started with the actual tutorial. The first thing we have to do is to change the default SSH port. It’s not that hard and we have a detailed guide in our knowledge base to perform this task.

Change Default SSH Port

As we discussed in the first few paragraphs of this guide, the default port for SSH is 22. However, Ubuntu and other Linux based operating systems provide us the freedom to change ports for services running on the system.

Click Here to learn how you can change the default SSH port. But there are some things that you have to keep in mind before actually changing the SSH port.

If you are using any kind of firewall on your server (It’s important!), you must allow incoming connections on the new port before you change the port for SSH. If you don’t allow incoming connections on the new port, your server won’t allow you to pass your request to SSH on the new port and you won’t be able to connect to your server via SSH using the old port because your SSH service won’t listen for the connections on the old port.

Disable Root Login

The root user is like a god in Linux systems. The root user has permission to do anything on the server. No one is above root user in the Linux systems. It means that if someone hacks your server and logs in as a root user, your server and data is gone.

So, we have to disable root login on the server. It means that our server won’t allow the root user to login directly. So, How can we do it? It’s very easy. Execute the following command to open the main SSH configuration file in the nano editor.

$ sudo nano /etc/ssh/sshd_config

Now, Press CTRL+W and type PermitRootLogin and then hit the Enter key. It will take you to the directive that decides whether to allow a root user to log in or not.

If you see PermitRootLogin yes, Replace it with PermitRootLogin no. Then press CTRL+X followed by Y followed by the Enter key to save the updated configuration file.

NOTE: Make sure there are other users with sudo privileges that can log in to your server. If there are no users other than root, you will be locked out of your server. Perform this task only after creating a non-root user with sudo privileges.

Disable Password Login

We all use a password to verify our identity or for authentication. However, passwords are not so secure. Many of us use the same passwords on multiple systems and some of us use very weak passwords.

When it comes to the security of our systems, we should not rely on passwords. Instead of using passwords, Use SSH keys. SSH keys are two cryptographically secure keys called private key and public key. The messages encrypted using the public key can be decrypted using the associated private key only.

We have a detailed tutorial on setting up SSH key-based authentication on Linux systems. Follow the guide to set up SSH key-based authentication and then disable the plain password login.

To disable the password login, Execute the following command to open the main SSH configuration file in nano editor.

$ sudo nano /etc/ssh/sshd_config

Find a line containing PasswordAuthentication. In most cases, the line will start with # which means that it is commented out. If it starts with #, remove the # and change the PasswordAuthentication from yes to no. The updated line should look like the following.

PasswordAuthentication no

Once done, press CTRL+X followed by Y followed by the Enter key to save the updated configuration. Once done, your server will not allow password as a method of authentication.

NOTE: Do not forget to restart the SSH daemon after updating the main SSH configuration file to apply the changes. Execute the following command to restart the SSH daemon.

$ sudo service ssh restart

 

Conclusion: There are many more things that we can do to improve the security of our SSH server. However, In this guide, I have included the easiest methods only so that anyone can follow. These three changes will mitigate the majority of the SSH-based security issues like brute force attacks. SSH is not something that you can play with. So, please make sure you know what you are doing before performing any of the above-given tasks. It is very easy to get locked out of the server if you don’t know what you are doing with the SSH.

Also, let us know if you need more help with securing SSH on Ubuntu server. We are happy to help!

Leave a Reply