Crony Akatsuki

Securing SSH

04-04-2024

As someone who has a couple of servers out in the open web, one of the main things I had to learn was how to secure it so people can’t touch them. One of the main ways to do that is by hardening ssh.

Here I will name a couple of settings and best practices to make sure your ssh is as secure as possible.

Use key pairs

One of the main practice to secure ssh is by using public/private ssh key pair and making ssh only allow connection with them, disabling password login.

First you need to generate a key pair by running the commmand ssh-keygen.

After generating the key run the command ssh-copy-id ~/.ssh/key_name user@host to copy the key to the server.

Connecting to the server now it will ask you for the ssh key password if you set one, if you didn’t then it will just directly connect it.

While you are connected to the server now, I would change next settings to the values I recommend to make sure you can only connect to the server with ssh key pairs already on the server. Make sure to uncomment the values in your config, and change like I did in my examples.

/etc/ssh/sshd_config

PubkeyAuthentication yes

PasswordAuthentication no
PermitEmptyPasswords no

Restart your sshd service, with systemctl restart sshd.service.

Disable root user logins

Next most common way to secure ssh is by not using a root account to connect, so even if somebody manages to connect they don’t get root user access.

After creating a new user ( make sure to add it to sudo/wheel group also ), make sure to copy the file located in /root/.ssh/authorized_keys to your new users directory in path /home/user/.ssh/authorized_keys

I would reccommend at this point to try and connecting to the different user on the server to make sure the ssh keys were copied correctly. ( example ssh new-user@host )

After that, disable root user login and only allow connecting to ssh with the new user.

/etc/ssh/sshd_config

PermitRootLogin no
AllowUsers new-user

Restart your sshd service.

Only allow connection from specific ip

Next best way to secure ssh is to only allow connection from specific ip, preferably vpn.

Main way I do it is using wireguard. I set it up using the landchad guide.

Then in your sshd config you can make it so that ssh will only accept connection to the user with only the specific up using this syntax.

AllowUsers new-user@172.16.0.2

You can use the ip for the connection you use to setup the peer in the wireguard setup guide, which in landchad’s guide is 172.16.0.2. Or from another server by using the ip of the server you connect with wireguard to.

Make sure to restart sshd and test out in another terminal window whether you can only connect with the wireguard connection to the server ( Don’t close or exit the current ssh connection before making sure it all work’s ).

General settings

There are some more settings that can be changed and I will name them now.

# Port change to allow connection from only that port, to connect use "ssh new-user@host -p port"
Port 4893

# Allow connection only from ipv4
AddressFamily inet

# Limit to only 3 connection tries
MaxAuthTries 3

# Disable pam
UsePAM no

# Disable tcp and x11 forwarding
AllowTcpForwarding no
X11Forwarding no

If you by chance need tcp or x11 forwarding, enable it only for your user using this syntax:

Match User new-user
    AllowTcpForwarding yes
    X11Forwarding yes

With this I have covered the most basic, but at the same best practices to secure your server ssh to not get uninvited people connecting to your servers.