The SSH plays most important role when perform any remote login to any Linux server. That’s why it is the first targeted method by any hacker to compromise a Linux server. First step that is performed by any sysadmins or devops is to harden SSH to secure it from external attacks and hackers. This tutorial explains you how to secure Linux SSH servers using SSH Hardening Tips.
Tip 1 : Enable Firewall To Protect the SSH Ports
You need to integrate the firewall to protect your SSH Port using IPtables or UFW firewall.
Tip 2 : Enable SSH Key based authentication instead of password based authentication
First of all you need to enable the key based SSH authentication to protect your SSH servers.
Tip 3 : Harden your sshd configuration file
Edit your SSH configuration file
# vi /etc/ssh/sshd_config
Find the given lines
PermitRootLogin yes PasswordAuthentication yes AllowTcpForwarding YES ClientAliveCountMax 3 Compression DELAYED LogLevel INFO MaxAuthTries 6 MaxSessions 10 Port 22 TCPKeepAlive YES UsePrivilegeSeparation YES X11Forwarding YES AllowAgentForwarding YES
Change it to
PermitRootLogin no PasswordAuthentication no AllowTcpForwarding NO ClientAliveCountMax 2 Compression NO LogLevel VERBOSE MaxAuthTries 2 MaxSessions 2 Port 3526 TCPKeepAlive NO UsePrivilegeSeparation SANDBOX X11Forwarding NO AllowAgentForwarding NO
Restart the SSH services to apply the changes.
# systemctl restart sshd
# service sshd restart
Tip 4 : Integrate Advanced Diffie-Hellman Key based algorithm to secure SSH
Integrate Advanced Diffie-Hellman key based algorithm to enhance the security of SSH server.
Tip 5 : Limit SSH Brute-force attack using Fail2ban
Limit SSH Brute-force attack using Fail2ban
Install Fail2ban on Ubuntu / Debian based Distro
# apt-get install fail2ban -y
Install Fail2ban on RHEL / CentOS based Distro
Note: you need to install EPEL repository first before proceeding to the given steps
# yum install fail2ban -y
Enable the fail2ban on Linux Distro
# cp -rv /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Start the fail2ban services to apply the changes.
# systemctl start fail2ban
# system fail2ban start
That’s all for now.