Configuring Secure SSH (OpenSSH) Access on a Linux Server

Setting up SSH (OpenSSH) on a Linux server provides a secure way to access and manage the server remotely. This guide will walk you through installing OpenSSH, configuring secure access, and adding optional security enhancements.


1. Install OpenSSH Server

First, you need to install OpenSSH on your Linux server to enable remote access.

  • Debian/Ubuntu:

      sudo apt update
      sudo apt install openssh-server
    
  • CentOS/RHEL:

      sudo yum install openssh-server
    

After installing, start and enable the SSH service to ensure it runs on boot:

sudo systemctl start ssh
sudo systemctl enable ssh

2. Basic SSH Configuration

OpenSSH’s main configuration file is located at /etc/ssh/sshd_config. You can customize it to enhance security by changing the default port, disabling root login, and restricting password authentication.

Open the configuration file using a text editor:

sudo nano /etc/ssh/sshd_config

Adjust the following settings for added security:

  • Change SSH Port: Modify the SSH port from the default 22 to a custom port (e.g., 2222) to reduce the likelihood of automated attacks.

      Port 2222
    
  • Disable Root Login: Prevent direct root login by setting PermitRootLogin to no.

      PermitRootLogin no
    
  • Disable Password Authentication: For stricter security, disable password authentication to enforce key-based authentication.

      PasswordAuthentication no
    

Save and close the file when done.


3. Generate SSH Key Pair

To set up key-based authentication, generate an SSH key pair on your local machine. This allows you to securely access the server without using a password.

Run the following command:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

The generated key pair will be saved in the ~/.ssh directory on your local machine.


4. Copy the Public Key to the Server

Now, transfer your public key to the server, allowing key-based authentication.

ssh-copy-id -p 2222 username@your_server_ip

Replace username, your_server_ip, and 2222 with your server’s username, IP address, and the custom SSH port if changed.


5. Reload the SSH Service

After modifying SSH configurations, restart the SSH service to apply the changes.

sudo systemctl restart ssh

6. Test the SSH Connection

Test your SSH configuration by connecting to your server with your custom port.

ssh -p 2222 username@your_server_ip

If everything is set up correctly, you’ll be prompted for your SSH key passphrase (if set) instead of a password.


7. Optional: Additional Security Enhancements

For extra protection, consider these additional security settings:

  • Disable Empty Passwords: Ensure users cannot log in with empty passwords.

      PermitEmptyPasswords no
    
  • Limit Login Attempts: Set a maximum number of authentication attempts to prevent brute-force attacks.

      MaxAuthTries 3
    
  • Use Fail2Ban: Fail2Ban is a tool that monitors failed login attempts and bans IPs that exhibit malicious behavior.


Conclusion

With SSH configured securely, you can now manage your Linux server remotely with confidence. By changing the default port, disabling root login, using key-based authentication, and adding security layers like Fail2Ban, you’re setting up a strong foundation for secure server management.