SSH Security Configuration Settings

Last updated: February 1st 2024

Introduction

This guide explains different methods to secure your Webdock SSH server. SSH or secure shell is a communication protocol used to administer the remote servers securely. We will discuss the following options in the SSH configuration file which impact security:

  • Changing the default SSH port
  • Using public/private key pair instead of password
  • Allow a single IP to login
  • Setting up idle timeout
  • Setting up limited password retries
  • Disabling X11 forwarding
  • Disable root login

Prerequisites

Changing the default SSH port

SSH server by default uses port 22 to create connections and everyone knows about it. Therefore using port 22 for SSH server makes your server, in theory, more vulnerable to hackers. In this guide, we will set up port 5333 for SSH server. You can use any unused port.

Please note: Make sure you open the new port before closing the old one.

Warning: Changing the SSH port will break our Web SSH Terminal functionality which assumes SSH is on the default port.

In case of a Webdock perfect server stack where we have ufw installed, open port 5333.

$ sudo ufw allow 5333/tcp

Open the /etc/ssh/sshd_config file.

$ sudo nano /etc/ssh/sshd_config

And change the SSH port

Port 5333

Please note: Every time you change the configuration file, you need to restart the SSH server to apply changes.

Restart the SSH server to apply new configuration.

$ sudo systemctl restart sshd

Logout of your server and re-login using port 5333.

$ ssh admin@[IP-address] -i [path-to-private-key] -p 5333

Using public/private key pair instead of password

Please note: This is already the installed default in Ubuntu and thus on Webdock Servers. You can enable Password authentication (not recommended) on the Shell Users screen in Webdock.
Using a public/private key pair to access an SSH server is more secure than using password based authentication. A password protected SSH server is more vulnerable to the brute force attacks. 

Open the /etc/ssh/sshd_config file.

$ sudo nano /etc/ssh/sshd_config

And set the PasswordAuthentication option to no.

PasswordAuthentication no

Restart the SSH server to apply changes.

$ sudo systemctl restart sshd

Allow only a single IP to login

The default configuration of the SSH server allows the SSH server to accept connection from any IP address. Restrict your SSH server to accept the connections from your trusted IP addresses only. You do this by configuring your firewall to only accept connections from a specific IP to a specific port on your server.

Please note: Make sure your trusted IP addresses are static. Otherwise your trusted IP may change and you will not be able to access your server.

Warning: Limiting to a single IP will break our Web SSH Terminal functionality. You can allow 157.90.77.137 and 2a01:4f8:141:4398::607 which should retain access through Web SSH (as of late 2021) but these IPs may change at any time.On Webdock Perfect Server stacks where we use UFW and your IP is 192.168.0.200 and SSH is on the default port 22, you would execute:

$ sudo ufw allow from 192.168.0.200 to any port 22

Keepalive / timeout settings

On Webdock Perfect Server stacks we keep the connection alive by default with the below settings. But you can remove these lines if you do not want to keep connections alive and time them out automatically. On a stock Ubuntu install, connections will be dropped after a minute or two of inactivity automatically.

Open the SSH configuration file.

$ sudo nano /etc/ssh/sshd_config

And set the value of TCPKeepAlive, ClientAliveInterval and the ClientAliveCountMax options.

TCPKeepAlive yes
ClientAliveInterval 60
ClientAliveCountMax 3

Before dropping the connection, the SSH server will check the status of the client after 60 seconds of inactivity and send null packets to keep the connection alive. If no response is received the server will repeat this process two times before terminating the connection.

Restart the SSH server to apply changes.

$ sudo systemctl restart sshd

Setting up limited password retries

Setting up limited password tries is a good way to prevent your SSH server from brute force attacks., in addition to fail2ban which does this automaticaly for SSH The SSH server provides configuration to set the number of authentication attempts permitted per connection. Open the SSH configuration file.

$ sudo nano /etc/ssh/sshd_config

And set the value of the MaxAuthTries option.

MaxAuthTries 3

The SSH server will allow only 3 login attempts per connection.

Restart the SSH server to apply changes.

$ sudo systemctl restart sshd

Disable root login

Using the root user to access the SSH server is not a good practice. Always access the SSH server using non privileged user accounts.

Please note: Root login is already disabled by default in Ubuntu and thus also on Webdock servers.

Open the configuration file.

$ sudo nano /etc/ssh/sshd_config

And disable the root login using the PermitRootLogin option.

PermitRootLogin no

Now the root login is disabled and the SSH server can only be accessible by a non root user.

Restart the SSH server to apply changes.

$ sudo systemctl restart sshd

Conclusion

In this tutorial we discussed how we can harden the security of our SSH server by modifying various security related configuration on a typical Ubuntu server.

Related articles