SSH is the primary method of remote access and administration on Linux systems. SSH is a client-server service providing secure, encrypted connections over a network connection.
Hosting an SSH server allows for remote connections from SSH clients. Unless you have security configured on the SSH server, technically anyone can connect to your system and attempt to login. Even if they fail to authenticate, the amount of bogus traffic to your system will waste bandwidth and system resources.
SSH servers come with a plethora of security settings that can be configured. In this guide, we’ll go over some of the best practices to secure SSH on Linux. This will give you some peace of mind about running an SSH server that’s exposed to the internet.
In this tutorial you will learn:
- How to secure SSH through RSA keys, changing port number, etc
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Any Linux distro |
| Software | OpenSSH |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions | # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
Securing SSH: Best Practices
This tutorial assumes that you have already successfully installed an OpenSSH server and are able to connect to it from one or more clients. If you need to install OpenSSH or get started using it, check out our tutorial on How to make the most of OpenSSH
Use SSH keys to login
Rather than logging in with a password every time you use SSH, it’s recommended to generate RSA keys and use them for authentication in place of a password. Not only is this more secure, but it’s a lot more convenient, as the SSH login will happen automatically and you don’t need to hassle with typing your password every time. It also allows you to automate certain tasks, such as rsync scripts or other Bash scripts that utilize SSH, SCP, etc.
Check out our tutorial on configuring passwordless SSH to get started. We also have another tutorial which explains how to manage SSH keys on Linux.
Change the default SSH port number
The default port for SSH on Linux systems is 22. Changing the SSH port would fall under “security through obscurity” which means that the security isn’t technically enhanced, but the SSH port has been obscured and isn’t as easy for attackers to access. In practice, this means that the thousands of bots scanning the internet for open SSH servers are a lot less likely to find yours.
For this reason alone, it’s usually a good idea to change the default SSH port number to something beyond 1024. Check out our tutorial on how to change the SSH port on Linux for step by step instructions.
Allow only specific users to login
Not every user on the system needs to use the SSH server facility to connect. Allow only specific users to connect to your server. For example if user foobar has an account on your server and this is the only user which needs access to the server via ssh, you can edit the /etc/ssh/sshd_config file and add the following line:
AllowUsers foobar
If you want to add more users to the AllowUsers list, wrap each user name in "".
Other best practices
Other best practices for securing SSH on Linux include some of the following:
- Disable root login
- Change the max login attempts
- Configure an SSH timeout period
- Only allow certain hosts to connect
For help with configuring these security practices on SSH, as well as some more tips, check out our tutorial on Most common SSH configurations for OpenSSH servers.
Closing Thoughts
In this tutorial, we learned about the best practices to secure an SSH server on Linux. SSH is such a common utility that all system administrators need to be familiar with, as it allows us to control any number of computers and servers remotely. Even though it’s a secure and encrypted protocol, it can be vulnerable to attacks if not secured properly. Following the best practices in this tutorial will ensure that your SSH servers are kept secure.
