How to harden an SSH server?
Solution 1:
Use public/private key pairs for authentication instead of passwords.
-
Generate a passphrase-protected SSH key for every computer that needs to access the server:
ssh-keygen
-
Permit public-key SSH access from the allowed computers:
Copy the contents of
~/.ssh/id_rsa.pub
from each computer into individual lines of~/.ssh/authorized_keys
on the server, or runssh-copy-id [server IP address]
on every computer to which you are granting access (you'll have to enter the server password at the prompt). -
Disable password SSH access:
Open
/etc/ssh/sshd_config
, find the line that says#PasswordAuthentication yes
, and change it toPasswordAuthentication no
. Restart the SSH server daemon to apply the change (sudo service ssh restart
).
Now, the only possible way to SSH into the server is to use a key that matches a line in ~/.ssh/authorized_keys
. Using this method, I don't care about brute force attacks because even if they guess my password, it will be rejected. Brute-forcing a public/private key pair is impossible with today's technology.
Solution 2:
I would suggest:
Using fail2ban to prevent brute force login attempts.
-
Disabling logging in as root via SSH. This means an attacker had to figure out both the username and the password making an attack more difficult.
Add
PermitRootLogin no
to your/etc/ssh/sshd_config
. -
Limiting the users that can SSH to the server. Either by group or just specific users.
Add
AllowGroups group1 group2
orAllowUsers user1 user2
to limit who can SSH to the server.
Solution 3:
Other answers provide security, but there is one thing you can do which will make your logs quieter, and make it less likely that you'll be locked out of your account:
Move the server from port 22 to another one. Either at your gateway, or on the server.
It doesn't increase the security, but does mean all the random internet scanners won't clutter up you log files.
Solution 4:
Enable two factor authentication with HOTP or TOTP. This is available from 13.10 onwards.
This includes using public key authentication over password authentication as in another answer here, but also requires the user prove he holds his second-factor-device in addition to his private key.
Summary:
sudo apt-get install libpam-google-authenticator
Have each user run the
google-authenticator
command, which generates~/.google-authenticator
and helps them configure their two factor devices (eg. the Google Authenticator Android app).-
Edit
/etc/ssh/sshd_config
and set:ChallengeResponseAuthentication yes PasswordAuthentication no AuthenticationMethods publickey,keyboard-interactive
Run
sudo service ssh reload
to pick up your changes to/etc/ssh/sshd_config
.-
Edit
/etc/pam.d/sshd
and replace the line:@include common-auth
with:
auth required pam_google_authenticator.so
More details on different configuration options are my blog post from last year: Better two factor ssh authentication on Ubuntu.