Latest Posts

Secure Shell (SSH) Security

Posted on by Rishan Solutions

Loading

Secure Shell (SSH) is a cryptographic network protocol that enables secure communication, remote login, and command execution over an unsecured network. SSH is widely used for system administration, secure file transfers, and tunneling.

However, SSH can become a target for cyberattacks if not properly secured. This guide will cover SSH security best practices, including hardening techniques, authentication methods, and mitigation strategies against common attacks.

1. Understanding SSH and Its Importance

SSH replaces insecure protocols like Telnet, rlogin, and FTP, which transmit data in plaintext.
It provides encryption, authentication, and data integrity.
Used for secure remote administration of Linux, macOS, and even Windows servers.

Common Uses of SSH:
✔ Secure remote access to servers
✔ Secure file transfer via SCP (Secure Copy) or SFTP (SSH File Transfer Protocol)
✔ Port forwarding and tunneling
✔ Automating tasks via SSH scripts

Why is SSH Security Important?

  • Brute-force attacks: Attackers attempt to guess SSH credentials.
  • Man-in-the-middle (MITM) attacks: Intercept SSH traffic.
  • Unauthorized access: If weak authentication is used.
  • Exploited vulnerabilities: Unpatched SSH servers may be compromised.

2. SSH Security Best Practices

1. Disable Root Login Over SSH

By default, root access via SSH is risky. Attackers target the root account to gain full system control.

Steps to disable root login:

  1. Open the SSH configuration file: sudo nano /etc/ssh/sshd_config
  2. Find and modify: PermitRootLogin no
  3. Restart SSH service: sudo systemctl restart sshd

Use sudo instead: Create a separate user and grant it administrative privileges.

2. Change the Default SSH Port

By default, SSH runs on port 22, making it easy for attackers to scan and target. Changing it reduces the risk of automated attacks.

Steps to change SSH port:

  1. Edit the SSH config file: sudo nano /etc/ssh/sshd_config
  2. Modify the port number (e.g., 2222): Port 2222
  3. Restart SSH service: sudo systemctl restart sshd
  4. Update firewall rules: sudo ufw allow 2222/tcp

Avoid using commonly scanned ports like 2222, 2223, etc.

3. Use Public Key Authentication (Disable Password Authentication)

Password-based SSH authentication is vulnerable to brute-force attacks.
Instead, use SSH key pairs for authentication.

Steps to Set Up SSH Key Authentication:

1️⃣ Generate SSH Key Pair on Client Machine:

ssh-keygen -t rsa -b 4096

(Default location: ~/.ssh/id_rsa)

2️⃣ Copy Public Key to Remote Server:

ssh-copy-id -i ~/.ssh/id_rsa.pub user@server_ip

3️⃣ Disable Password Authentication (on the server):

sudo nano /etc/ssh/sshd_config

Change:

PasswordAuthentication no

Restart SSH:

sudo systemctl restart sshd

Now, only users with the private key can log in!

4. Limit SSH Access to Specific Users

Restrict SSH access to only authorized users.

Steps:

  1. Open SSH configuration file: sudo nano /etc/ssh/sshd_config
  2. Add allowed users: AllowUsers narendra adminuser
  3. Restart SSH service: sudo systemctl restart sshd

5. Implement Fail2Ban to Prevent Brute-Force Attacks

Fail2Ban monitors SSH logs and blocks repeated failed login attempts.

Install and Configure Fail2Ban:

  1. Install Fail2Ban:sudo apt install fail2ban -y
  2. Create a new SSH Jail config: sudo nano /etc/fail2ban/jail.local Add: iniCopyEdit[sshd] enabled = true maxretry = 5 bantime = 600
  3. Restart Fail2Ban: sudo systemctl restart fail2ban

This blocks users after 5 failed login attempts for 10 minutes.

6. Use SSH Certificates for Authentication

Instead of static SSH keys, use SSH certificates for scalable authentication.

Advantages:

  • Easier key management
  • Temporary access via certificate expiration
  • Prevents key reuse attacks

Configure an SSH Certificate Authority (CA) for signing user keys.

7. Enable Two-Factor Authentication (2FA) for SSH

Even if a password or key is compromised, 2FA adds an extra security layer.

Steps to Enable Google Authenticator for SSH:

  1. Install Google Authenticator: sudo apt install libpam-google-authenticator -y
  2. Run the setup: google-authenticator
  3. Configure SSH to use PAM authentication: sudo nano /etc/pam.d/sshd Add: bashCopyEditauth required pam_google_authenticator.so
  4. Restart SSH: sudo systemctl restart sshd

8. Use an SSH Jump Host (Bastion Host)

A bastion (jump) host acts as an intermediate server to manage SSH access securely.

Steps:

  • Restrict SSH access to the jump host only.
  • Disable direct SSH to internal servers.
  • Implement logging and monitoring.

Example:
Instead of ssh user@server_ip, connect via the jump host:

ssh -J jump_host user@server_ip

3. Monitoring and Logging SSH Activity

Monitor SSH logs to detect unauthorized access attempts.

View SSH login attempts:

sudo cat /var/log/auth.log | grep "sshd"

Set up real-time SSH monitoring:

sudo tail -f /var/log/auth.log

Use SIEM tools for SSH auditing (e.g., Splunk, ELK Stack, or Graylog).

Leave a Reply

Your email address will not be published. Required fields are marked *