With Secure Shell (SSH) a default configuration can be vulnerable to hackers who are trying to gain access to your server. In this guide, we will provide you with a few configuration changes on how you can improve the security of SSH on your server.
First, make sure that you have a user account with sudo privileges. For example in this article, we will turn off root logins to improve security. Most, if not all, changes will be made to the /etc/ssh/sshd_config file. After making changes to this file you will need to restart SSH in order for the changes to take effect. The following command can be used to restart SSH:
[root@worldstream ~]# sudo systemctl restart sshd.service
1. Change the SSH port
A very simple but very effective change is to adjust the SSH port of your server. Changing the SSH port is already a significant security improvement to your server. To change the SSH port of your server please check out our article.
2. Disable root login
Another great option is to disable logins from the root user. Before you change this option make sure you have a sudo user you can use to login into your system. Now open the /etc/ssh/sshd_config file with your favorite editor. To disable root login uncomment and change the following option:
PermitRootLogin no
Once this option has been changed you can save and close the file. Make sure to restart SSH for the change to take effect.
3. Disable empty password login
In Linux, you have the possibility to log in with an empty password. We would recommend disabling this option. Open the /etc/ssh/sshd_config file with any editor you like. To disable empty password login uncomment and change the following option:
PermitEmptyPasswords no
When the above option has been changed save and close the file, and again make sure to restart SSH.
4. Max login attempts
You are also able to set the maximum amount of times a user can attempt to login. By default, this option is set to 6. But in order to increase the security of SSH, you can change this value. Just adjust the following line:
MaxAuthTries 6
5. Limit SSH login to specific users
In your SSH configuration, you can specify that only specific users can log in to your server. The following option can be added to the SSH configuration file:
AllowUsers [USER]
7. Disable password login in combination with SSH keys
When you want to disable the ability to login with a password it is essential to configure a login with an SSH key. How to create and configure your SSH key can be found in the following article.
When you have enabled login through SSH keys you can disable the password login. Find the option below in the SSH configuration, uncomment and change the value to no. Make sure to restart SSH after making changes.
PasswordAuthentication no
If you have any questions or comments about these SSH configurations feel free to email us here.
Learn more about our services: worldstream.com