SSH, which stands for Secure Shell, is not very secure by default and chooses basic password verification without other limits. If you really want to shut down the server, you need to do more configuration.
Do not allow password logins ̵1; Use SSH keys
The first thing you need to do is to get rid of password authentication completely and switch to SSH keys. SSH keys are a form of public key encryption; you have a public key that acts as your username and a private key that acts as your password (except that the password is 2,048 characters long). Your private key is stored on your disk, but is encrypted with a passphrase and ssh agent. When you go to SSH to a server, instead of asking for your password, the ssh agent connects to the server with your keys.
Even if you already use SSH keys, you still want to make sure your password logins are turned off, since the two are not mutually exclusive.
RELATED: What is SSH Agent Forwarding and how do you use it?
Generate SSH keys
a new SSH key using the
ssh keygen utility, installed by default on most Unix systems.
This will ask you for a passphrase to encrypt the local key file with. It is not used for authentication with the server, but should still be kept secret.
ssh keygen will save your private key in
~ / .ssh / id_rsa and will also save your public key in
~ / .ssh / id_rsa. pub . The private key stays on your hard drive, but the public key must be uploaded to the server so that the server can verify your identity and verify that you have access to that server.
The server has a list of authorized users, usually stored in
~ / .ssh / Author_keys . You can manually add your key file to this file, or you can use the
ssh-copy-id -i ~ / .ssh / id_rsa.pub user @ host
user @ host with your own username and server hostname. You will be asked to log in with your old password again, after which you will not be asked for it again and can deactivate password login.
Disable SSH password Login
Now that you have access to the server with your keys, you can turn off password authentication altogether. Ensure that key-based authentication works, or that you are locked out of the server.
On the server, open
/ etc / ssh / sshd_config in your favorite editor and search for the line beginning with:
You want to clear this (remove the hash tag) and change " yes "to" no ":
systemctl restart sshd
You should be forced to reconnect, and if your key file is incorrect , you will not be asked for a password.
If you wish, you can also force key-based authentication that blocks all other authentication methods. Add the following lines to
/ etc / ssh / sshd_config :
AuthenticationMethods publickey PubkeyAuthentication yes
Lock Out Attackers with denyhosts
denyhosts is a tool to prevent repeated unsuccessful login attempts over SSH, similar to how your phone locks you after too many attempts. It is not installed by default, so you need to install it from your distros package manager. For Debian-based systems like Ubuntu, it would be:
sudo apt-get install denyhosts -y
Once installed, enable it with:
sudo systemctl enable denyhosts
denyhosts should be run automatically now, but you will want to whitelist your IP address if you become locked. You can always try again from another IP address, but this will save some hassle.
/etc/hosts.allow and at the bottom of the file add:
sshd: your-ip address
your-ip address with your IP address.
denyhosts will be blocked after a failed attempt for root users and five failed attempts for other users. You can change this behavior by editing
If you accidentally locked yourself out, stop
denyhosts and remove your IP address from a few places:
/ var / lib / denyhosts / hosts
/ var / lib / denyhosts / hosts-restricted
/ var / lib / denyhosts / hosts-root
/ var / lib / denyhosts / hosts-valid
/ var / lib / denyhosts / users-hosts
denyhosts and you should be able to reconnect.
Whitelist SSH Access
Although forcing SSH keys with
denyhost's is probably sufficient security, you can whitelist specific IP addresses. Most server providers will provide tools to do this from a web interface. If it is an option, you will want to whitelist from there rather than from the SSH server, because you will always be able to change the white listed IP address if you become locked.
If this is not an option, you must manually configure
/etc/hosts.deny to block all traffic from unauthorized hosts.
An important note : If you whitelist your house, your ISP may not provide you with a static IP address and your IP address may change at any time. You want to make sure that it will not happen before you list all other IP addresses, or add multiple addresses as a backup or just skip this step completely.
/etc/hosts.allow and make sure your IP address is in the file:
sshd: your-ip address
If so, you can go ahead and deny all other connections:
echo & # 39; sshd: ALL & # 39; >> / etc / hosts.deny
sshd and you should see your changes.
Alternatively, you can set a proxy in front of your SSH server
If you do not want to reveal your SSH server to the Internet but need to access it from multiple IP addresses, you can set a proxy in front of it to manage the connection. This can be another cloud server or even a box that runs in your house.
The SSH server should be configured to only accept connections from the proxy server and the proxy server should accept connections from anywhere. You can configure the proxy server however you like, but even a simple netcat connection works. Remember that this proxy server will be the only access point for your SSH server, so if the proxy is dropped, you will be locked unless you have a backup address.
Don't Root Login
Instead, create a new user and give that user sudo privilege. This is actually the same but has a big difference: potential attackers need to know your user account name to even begin to attack your server, as it will not be as simple as
root @ yourserver .  Apart from security, it is generally good Unix policy not to be logged in as
root all the time, because
root does not create logs and does not ask when you access protected resources .
Create a new user on your SSH server:
and set a password for that user:
You will not log in with this password because you will still use SSH keys, but it is required. Do this differently from your root password.
Add this user to
/ etc / sudoers to give administrator privileges:
echo & # 39; myfancyusername ALL = (ALL) ALL & # 39; >> / etc / sudoers
Switch to that user with
su myfancyusname and verify that you can switch back to the root user with
sudo su (which does not require root password) . If you can, you have sudo access.
Now you want to block root login. In
/ etc / ssh / sshd_config you want to change:
Remove the speed and change "yes" to "no":
PermitRootLogin no  Restart
sshdand the server should block all requests to log in as
Set up two-factor authentication
This is really superfluous, but if you are paranoid about someone busting your private SSH keys, you can configure your SSH server to use 2FA.
The easiest way to do this is to use Google Authenticator with an Android or iOS device, but SSH supports many two-factor methods. With Google Authenticator, you get a QR code that you can scan from the Google Authenticator mobile app to link your phone to the server, and you will also get some recovery codes for your phone lost. Do not store these codes on your main machine, otherwise there are not really two factors.