Configuring Secure SSH (OpenSSH) Access on a Linux Server
Setting up SSH (OpenSSH) on a Linux server provides a secure way to access and manage the server remotely. This guide will walk you through installing OpenSSH, configuring secure access, and adding optional security enhancements.
1. Install OpenSSH Server
First, you need to install OpenSSH on your Linux server to enable remote access.
Debian/Ubuntu:
sudo apt update sudo apt install openssh-server
CentOS/RHEL:
sudo yum install openssh-server
After installing, start and enable the SSH service to ensure it runs on boot:
sudo systemctl start ssh
sudo systemctl enable ssh
2. Basic SSH Configuration
OpenSSH’s main configuration file is located at /etc/ssh/sshd_config
. You can customize it to enhance security by changing the default port, disabling root login, and restricting password authentication.
Open the configuration file using a text editor:
sudo nano /etc/ssh/sshd_config
Adjust the following settings for added security:
Change SSH Port: Modify the SSH port from the default
22
to a custom port (e.g.,2222
) to reduce the likelihood of automated attacks.Port 2222
Disable Root Login: Prevent direct root login by setting
PermitRootLogin
tono
.PermitRootLogin no
Disable Password Authentication: For stricter security, disable password authentication to enforce key-based authentication.
PasswordAuthentication no
Save and close the file when done.
3. Generate SSH Key Pair
To set up key-based authentication, generate an SSH key pair on your local machine. This allows you to securely access the server without using a password.
Run the following command:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
The generated key pair will be saved in the ~/.ssh
directory on your local machine.
4. Copy the Public Key to the Server
Now, transfer your public key to the server, allowing key-based authentication.
ssh-copy-id -p 2222 username@your_server_ip
Replace username
, your_server_ip
, and 2222
with your server’s username, IP address, and the custom SSH port if changed.
5. Reload the SSH Service
After modifying SSH configurations, restart the SSH service to apply the changes.
sudo systemctl restart ssh
6. Test the SSH Connection
Test your SSH configuration by connecting to your server with your custom port.
ssh -p 2222 username@your_server_ip
If everything is set up correctly, you’ll be prompted for your SSH key passphrase (if set) instead of a password.
7. Optional: Additional Security Enhancements
For extra protection, consider these additional security settings:
Disable Empty Passwords: Ensure users cannot log in with empty passwords.
PermitEmptyPasswords no
Limit Login Attempts: Set a maximum number of authentication attempts to prevent brute-force attacks.
MaxAuthTries 3
Use Fail2Ban: Fail2Ban is a tool that monitors failed login attempts and bans IPs that exhibit malicious behavior.
Conclusion
With SSH configured securely, you can now manage your Linux server remotely with confidence. By changing the default port, disabling root login, using key-based authentication, and adding security layers like Fail2Ban, you’re setting up a strong foundation for secure server management.