SSH Security Configuration Settings
Last updated: February 1st 2024
Introduction
This guide explains different methods to secure your Webdock SSH server. SSH or secure shell is a communication protocol used to administer the remote servers securely. We will discuss the following options in the SSH configuration file which impact security:
- Changing the default SSH port
- Using public/private key pair instead of password
- Allow a single IP to login
- Setting up idle timeout
- Setting up limited password retries
- Disabling X11 forwarding
- Disable root login
Prerequisites
- Webdock cloud Ubuntu instance (18.04 or later)
- You have shell access to your VPS
Changing the default SSH port
SSH server by default uses port 22 to create connections and everyone knows about it. Therefore using port 22 for SSH server makes your server, in theory, more vulnerable to hackers. In this guide, we will set up port 5333 for SSH server. You can use any unused port.
Please note: Make sure you open the new port before closing the old one.
Warning: Changing the SSH port will break our Web SSH Terminal functionality which assumes SSH is on the default port.
In case of a Webdock perfect server stack where we have ufw installed, open port 5333.
$ sudo ufw allow 5333/tcp
Open the /etc/ssh/sshd_config file.
$ sudo nano /etc/ssh/sshd_config
And change the SSH port
Port 5333
Please note: Every time you change the configuration file, you need to restart the SSH server to apply changes.
Restart the SSH server to apply new configuration.
$ sudo systemctl restart sshd
Logout of your server and re-login using port 5333.
$ ssh admin@[IP-address] -i [path-to-private-key] -p 5333
Using public/private key pair instead of password
Please note: This is already the installed default in Ubuntu and thus on Webdock Servers. You can enable Password authentication (not recommended) on the Shell Users screen in Webdock.
Using a public/private key pair to access an SSH server is more secure than using password based authentication. A password protected SSH server is more vulnerable to the brute force attacks.
Open the /etc/ssh/sshd_config file.
$ sudo nano /etc/ssh/sshd_config
And set the PasswordAuthentication option to no.
PasswordAuthentication no
Restart the SSH server to apply changes.
$ sudo systemctl restart sshd
Allow only a single IP to login
The default configuration of the SSH server allows the SSH server to accept connection from any IP address. Restrict your SSH server to accept the connections from your trusted IP addresses only. You do this by configuring your firewall to only accept connections from a specific IP to a specific port on your server.
Please note: Make sure your trusted IP addresses are static. Otherwise your trusted IP may change and you will not be able to access your server.
Warning: Limiting to a single IP will break our Web SSH Terminal functionality. You can allow 157.90.77.137 and 2a01:4f8:141:4398::607 which should retain access through Web SSH (as of late 2021) but these IPs may change at any time.On Webdock Perfect Server stacks where we use UFW and your IP is 192.168.0.200 and SSH is on the default port 22, you would execute:
$ sudo ufw allow from 192.168.0.200 to any port 22
Keepalive / timeout settings
On Webdock Perfect Server stacks we keep the connection alive by default with the below settings. But you can remove these lines if you do not want to keep connections alive and time them out automatically. On a stock Ubuntu install, connections will be dropped after a minute or two of inactivity automatically.
Open the SSH configuration file.
$ sudo nano /etc/ssh/sshd_config
And set the value of TCPKeepAlive, ClientAliveInterval and the ClientAliveCountMax options.
TCPKeepAlive yes ClientAliveInterval 60 ClientAliveCountMax 3
Before dropping the connection, the SSH server will check the status of the client after 60 seconds of inactivity and send null packets to keep the connection alive. If no response is received the server will repeat this process two times before terminating the connection.
Restart the SSH server to apply changes.
$ sudo systemctl restart sshd
Setting up limited password retries
Setting up limited password tries is a good way to prevent your SSH server from brute force attacks., in addition to fail2ban which does this automaticaly for SSH The SSH server provides configuration to set the number of authentication attempts permitted per connection. Open the SSH configuration file.
$ sudo nano /etc/ssh/sshd_config
And set the value of the MaxAuthTries option.
MaxAuthTries 3
The SSH server will allow only 3 login attempts per connection.
Restart the SSH server to apply changes.
$ sudo systemctl restart sshd
Disable root login
Using the root user to access the SSH server is not a good practice. Always access the SSH server using non privileged user accounts.
Please note: Root login is already disabled by default in Ubuntu and thus also on Webdock servers.
Open the configuration file.
$ sudo nano /etc/ssh/sshd_config
And disable the root login using the PermitRootLogin option.
PermitRootLogin no
Now the root login is disabled and the SSH server can only be accessible by a non root user.
Restart the SSH server to apply changes.
$ sudo systemctl restart sshd
Conclusion
In this tutorial we discussed how we can harden the security of our SSH server by modifying various security related configuration on a typical Ubuntu server.
Related articles
-
Server Security Checklist
In this article we list a number of things you should check if you are setting up a server from scratch as well as a few things which can enhance security on our Perfect Server Stacks.
Last updated: November 10th 2022
-
How to check for open ports on your Ubuntu server
This article details various approaches to finding out which ports are open and accessible on your server.
Last updated: November 10th 2022
-
How to work with your firewall (UFW - Uncomplicated Firewall)
In this article we show how UFW - or Uncomplicated Firewall - works along with common commands and usage examples.
Last updated: January 10th 2024
-
How to configure Fail2Ban for common services
How fail2ban can be configured for common services as well as how to utilize the fail2ban CLI tools to check status of various jails, unbanning users and more.
Last updated: August 22nd 2023
-
How to Secure Nginx with Naxsi Firewall on Ubuntu 18.04 VPS
This Article describes how you can set up and configure Naxsi firewall on a Webdock LEMP stack on Ubuntu Bionic 18.04.
Last updated: November 10th 2022
-
How to Secure Nginx with Naxsi Firewall on Ubuntu 20.04 VPS
This Article describes how you can set up and configure Naxsi firewall on a Webdock LEMP stack on Ubuntu Focal 20.04.
Last updated: March 8th 2024
-
How to configure Security Headers in Nginx and Apache
Here we outline which security headers are important to set in different scenarios in Nginx and Apache.
Last updated: November 10th 2022
-
How to enable Encryption for MariaDB
Enable Encryption of your database data with MariaDB as well as force all new tables created to be encrypted.
Last updated: October 29th 2024
-
How to Scan Your Webdock Server for Malware and Virus
This guide provides basic step-by-step instructions to install various tools to scan your server for malware and viruses.
Last updated: July 19th 2023
-
How To Use Our Free BotGuard Bot Protection
In this article we show you how to activate and use our Free BotGuard Bot Protection which is included for free with all our VPS servers.
Last updated: November 4th 2024
-
Enhancing Nginx Security with IP Filtering and Password
A guide to enhance Nginx security with IP filtering (specific IP, and, IP ranges) and Password
Last updated: November 25th 2023
-
Securing Ubuntu: How to Detect System Vulnerabilities
Detect system vulnerabilities using Vuls
Last updated: December 20th 2023
-
Secure VPS Communication with SSL and UFW
A detailed guide to securely your communicate with your servers without requiring a VLAN setup.
Last updated: March 4th 2024
-
Configuring UFW and Fail2Ban to Mitigate Basic DDos Attacks
Instructions to protect your server from basic DDos attacks using UFW and Fail2Ban
Last updated: May 28th 2024