I have written a bit about some of the uses for ssh (here and here). I thought I would outline a few quick tips on securing an ssh host machine. One of the biggest security problems and security log notices that I find are automated connection attempts via the ssh port of a machine. Based on this there are a few things that I suggest in helping secure your ssh port and your machine security.
One of the first steps to increasing the security of your machine is to change the default port for ssh. This can be done by editing the /etc/ssh/sshd_config file.
sudo vim /etc/ssh/sshd_config
Look for the line that defines the port. By default it should look like “Port 22”, generally found near the top of the file. You’ll want to change this to a more random port. While the new port can be found, it is a good measure to change it to something more customized. I suggest something above 20,000. Your new line entry would look like “Port 22255” or “Port 22002”, etc.
The next level of ssh security is allowing or disallowing login by the root user. Remember, the root account is not activated by default on an Ubuntu machine but if it has been activated the simplest and easiest way to gain access would be to connect via ssh as the root user. To disallow login access as the root user you’ll want to search for the line “PermitRootLogin yes” and change it to “PermitRootLogin no”.
There are quite a few more things that you can configure for additional levels of security. The last that I’d like to outline here is the AllowUsers setting. From the man page:
This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. ‘*’ and ‘?’ can be used as wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
In other words you could add a new line to your sshd_config to the extent of “AllowUsers username” to limit connections to just yourself or “AllowUsers [email protected]” to only allow your username from your work or office domain.
Lastly, for any of your changes to take effect you’ll need to restart the sshd service. This can be done with the command below:
sudo /etc/init.d/ssh restart
Between the three of these options you should have a pretty tightened down machine when it comes to ssh. Alternate ports, disallowed root login and restriction to specific usernames and domains. This’ll give those script-kiddie crackers a headache! If you have any other suggestions on added security for ssh please leave a comment.