Skip to Content

15 SSH Best Practices Every Linux Admin Should Know

SSH (Secure Shell) is a vital tool for remote administration and file transfer in many Linux environments.

However, if not properly secured, SSH can be a potential gateway for unauthorized access and malicious activities.

By adhering to the following best practices, you can enhance the security of your SSH server.

1. Use SSH Protocol Version 2
Always ensure you’re using SSH protocol version 2 (Protocol 2 in the sshd_config file) since it offers improved security over version 1.

2. Disable Root Login
Direct root login can be a major security threat. Instead, login as a normal user and then elevate privileges using sudo or su. In your sshd_config, set:

PermitRootLogin no

3. Use Public Key Authentication
Where possible, prefer key-based authentication over passwords. This involves generating a public/private key pair and uploading the public key to the server. Once this is set up, disable password authentication by setting:

PasswordAuthentication no

4. Implement Two-Factor Authentication (2FA)
Even with key-based authentication, consider adding an extra layer of security with 2FA. Tools like Google Authenticator can be integrated with SSH for this purpose.

5. Change the Default SSH Port
While this is more about obfuscation, changing the default port (22) can help reduce automated attacks. In your sshd_config, modify the Port directive:

Port 2222  # or another number of your choice

6. Use Allow and Deny Lists
Specify which users  are permitted or denied SSH access. In your sshd_config, you can use:

AllowUsers username1 username2
DenyUsers baduser
AllowGroups groupname
DenyGroups badgroup

7. Limit the Number of Authentication Attempts
Reduce the chance of brute-force attacks by limiting the number of authentication retries. Set the MaxAuthTries directive in your sshd_config:

MaxAuthTries 3

8. Implement a Login Grace Time
This setting determines the amount of time the server will wait before disconnecting if the user hasn’t authenticated. A low value can deter brute-force attacks:

LoginGraceTime 30

9. Use a Firewall

A firewall acts as a protective barrier between your server and the outside world, filtering out unwanted traffic and only allowing specific kinds of communications.

  • iptables: This is the traditional tool for managing Linux firewalls, allowing you to set complex rules for traffic filtering.To allow only SSH traffic and block all other incoming traffic:
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -j DROP

    The above rules allow incoming SSH traffic (port 22) and drop all other incoming traffic.

  • UFW (Uncomplicated Firewall): This is a more user-friendly interface for managing iptables.First, install UFW:
    sudo apt install ufw   # For Debian/Ubuntu systems
    sudo yum install ufw   # For CentOS/Red Hat systems

    Then, allow SSH and enable the firewall:

    sudo ufw allow ssh
    sudo ufw enable
  • Whitelisting IPs: Only allowing certain trusted IP addresses can further enhance security:
    sudo ufw allow from [TRUSTED_IP_ADDRESS] to any port 22

    Replace [TRUSTED_IP_ADDRESS] with the specific IP you want to whitelist.

10. Regularly Monitor SSH Logs

By monitoring SSH logs, you can track any unauthorized or suspicious activities, giving insights into possible security breaches or failed login attempts.

  • Location of logs: SSH-related logs are usually located at:
    • /var/log/auth.log for Debian/Ubuntu systems.
    • /var/log/secure for CentOS/Red Hat systems.
  • Viewing logs: Use tail or cat to view the logs.
    tail -f /var/log/auth.log

    This will provide real-time monitoring of the log.

  • Log Analysis: Tools like Logwatch can be used to analyze logs and provide a daily summary.To install and set up Logwatch:
    sudo apt install logwatch   # For Debian/Ubuntu systems
    sudo yum install logwatch   # For CentOS/Red Hat systems

    Configure it based on your needs and regularly check the summaries.

  • Act on suspicious activity: If you notice a large number of failed login attempts or unfamiliar IP addresses trying to connect, it might be a sign of a brute force attempt or another malicious activity. This could indicate a need for more robust security measures or that certain IP addresses should be blocked.

By fine-tuning your firewall settings and keeping a vigilant eye on your SSH logs, you’ll be in a strong position to deter most common threats and quickly react to any suspicious activities on your server.

11. Disable Empty Passwords

Empty passwords are a significant vulnerability as they essentially offer open access to accounts. Ensure that you explicitly deny users the ability to login without a password by setting:

PermitEmptyPasswords no

in your sshd_config file. Additionally, you should implement a strong password policy that mandates a combination of upper and lower case letters, numbers, and special characters to increase password complexity.

12. Install Security Updates

Operating systems and software, including SSH, continuously get updates to fix known security vulnerabilities. Regularly updating ensures that attackers can’t exploit known weak spots.

  • Debian/Ubuntu systems:
    sudo apt update && sudo apt upgrade -y
  • CentOS/Red Hat systems:
    sudo yum update -y
  • openSUSE/SUSE:
    sudo zypper update

Set automatic updates when possible but also periodically check for critical security updates and patches.

13. Use a Host-based Intrusion Detection System (HIDS)

Fail2Ban is a popular intrusion prevention framework that works alongside your firewall. It monitors logs for too many failed login attempts and bans IP addresses showing malicious signs.

  • Installing Fail2Ban:
    For Debian/Ubuntu:
    sudo apt install fail2ban

    For CentOS:

    sudo yum install fail2ban
  • Configuring Fail2Ban:
    You can modify its configuration (usually in /etc/fail2ban/jail.local). Create or modify specific rules for SSH to tailor its behavior.

14. Rate Limit SSH Connections

By rate-limiting, you can prevent attackers from bombarding your server with login attempts in a short span of time.

Using iptables, you can limit SSH attempts:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

This example limits to 3 connection attempts within a 60-second period. Any subsequent attempts get dropped for the next 60 seconds.

15. Encrypt Home Directories

Encryption ensures that even if an attacker gains access to the disk, they cannot easily read the contents.

  • Set up encrypted home directories:
    Ubuntu used to offer the option to encrypt the home directory upon installation. If you’ve not done it then, tools like ecryptfs can be used later. For new users, you can set up encryption with:
    sudo apt-get install ecryptfs-utils
    sudo ecryptfs-migrate-home -u [USERNAME]
  • Backup keys and important data: Always back up encryption keys and any vital data. Losing the encryption key will mean losing access to the encrypted data.

By paying close attention to these extended details for each step, you ensure your SSH server remains shielded from most common threats, creating a safer and more resilient system.

Securing your SSH server is of paramount importance in maintaining the integrity and security of your Linux system. Implementing these best practices can greatly enhance your SSH server’s security, protecting it from various potential threats. Regular monitoring and updating are key to ensuring that your server remains secure in the face of evolving challenges.