One of the first step towards securing your server is to limit the attack points as I already mentioned here. How ever SSH is one of the most important service if you are managing your server remotely, so definitely you can shutdown this service in case you can access your machine physically (then you can shut down the SSH service)
The first good thing that you can do regarding SSH is to enable password less authentication.
SSH Protocol
First thing that you need to check with your SSH is the protocol you are currently using, their are currently two protocols
- Protocol 1
- Protocol 2
Most linux distribution now a days ship with Protocol 2 already enabled (which is what we actually want), how ever you can use the command below to check which protocol you are using:
1 | cat /etc/ssh/sshd_config |grep Protocol |
It will either print out Protocol 1 or Protocol 2 , if its Protocol 2, then you are good to go.
If not then you can use your favorite editor, to edit the file, I will use vi editor, and run the following command
1 | vi /etc/ssh/sshd_config |
Now find the line which says
Protocol 1
And change it to -> Protocol 2, and restart your ssh service using:
1 | service sshd restart |
Now you are on protocol 2 and good to go.
SSH Port
Ports are like doors to the home, ports are open gates on your server, and by default SSH works on port 22, so if some one is trying to access or hack your server, they will connect to SSH port 22. Changing your port may not protect you from all hacking attempts since port scanning can be used to map your open ports. How ever it will make it a little hard for the hacker, so lets find out what port SSH is currently listening on (if you have not changed then most probably it will be 22).
1 | cat /etc/ssh/sshd_config |grep Port |
Change port
To change your SSH port, again you need to modify the same file, find these lines
1 2 3 4 | #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: |
and change it to
1 2 3 4 | Port 5550 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: |
Your new SSH port will be 5550, now while connecting to your SSH, you need to use ‘p’ flag to specify the custom port, using the command below
1 | ssh -p 5550 root@192.168.1.5 |
Disable Root Login
Don’t disable root login if you don’t have any other user on your machine yet, first make sure that you have another user on your machine that can access ssh.
Then you can edit the same file, find the line PermitRootLogin yes and change it to PermitRootLogin no .
Disable authentication using password!
If you already have password less authentication in place, as I mentioned in the start of this post. Then their is no point of allowing login via password, you can stop authentication using password altogether.
Find the line PasswordAuthentication yes and change it to PasswordAuthentication no .
Please note that if you do not have password less authentication in place and you disable access through password, you might be locked out of your machine, in case you can not access it physically, so make sure before making this change.