Home   Back

Securing your SSH server

SSH-ing into your servers as root is BAD and you really shouldn't do it. In this page I will show you how you can use keypairs instead of passwords to log into your SSH servers along with some other additional security enhancement tips.

Adding a New User To the Server

If you don't already, the first thing you should do is make sure that you have a non-root user that you can use to SSH into the server with. On most major Linux distributions you can create a new user with the useradd command:

# useradd -d $USERNAME -m -p $PASSWORD -s /bin/bash $USERNAME

Creating a Keypair

On the client machine (your computer) we will have to generate a private-public keypair that we can use to log into the SSH server with. We will use RSA.

# ssh-keygen -t rsa -b 4096 

It will ask you where to store the new keypair and you can leave it at the default or choose a custom path. It will also ask you for a passphrase for the private key. The passphrase has to be entered everytime you use the private key to authenticate yourself to the SSH server so just be warned about that if you do add one.

After creating the keypair, we have to get the public key up to the SSH server that you want to log into. We can do this easily with the ssh-copy-id command:

# ssh-copy-id $USERNAME@(server IP or domain) 

It's going to ask you for the password for the account $USERNAME that you made earlier so enter it in when prompted. After that the public key should have been uploaded to the authorized_keys file on the server and now you can login to the SSH server as $USERNAME with keypairs!

Security Tips

SSH back into the server under the newly created user with the key and edit the file /etc/ssh/sshd_config with your text editor of choice:

# sudo nano /etc/ssh/sshd_config 

Find where it says "PubkeyAuthentication" and change the value to yes.

PubkeyAuthentication yes

Find where it says "PermitRootLogin" and change the value to no. You can optionally change it to without-password which only allows SSH as root with a keypair. I would just not allow root SSH access at all to be safe as you can always switch to root once you are in the server as another user if need be.

PermitRootLogin no

Here are some optional settings you can change in the file if you want:

PasswordAuthentication no - Only allows keypairs to be used to SSH into the server. No passwords can be used at all.

PermitEmptyPasswords no - Does not allow an empty password to be sumbitted when trying to log in. This is when you just hit enter as the password prompt.

ChallengeResponseAuthentication no - Set this to no if you set "PasswordAuthentication" as no

KerberosAuthentication no - Disables Kerberos authentication

GSSAPIAuthentication no - Disables GSSAPI authentication

X11Forwarding no - If you start a GUI-capable program on the SSH server such as Firefox, if this is set to yes then the SSH Server will forward the application GUI data to your desktop. Most people don't need this so leave it at no.

Setting Up Google Authenticator MFA

Using SSH keys are already a very secure method of authentication, but if you want to go even further you can setup MFA. It's a good idea to implement this if you are just using password authentication and no keys.

Start by installing the PAM Google Authenticator package on your server:

# apt install libpam-google-authenticator

Now run the setup wizard. Make sure that you are running this under the user that you want to access via SSH:

# google-authenticator

Once you run the command, you will be asked certain questions. The first question will be "Do you want authentication tokens to be time-based (y/n)". Press Y and you will get a QR code, secret key, verification code, and emergency backup codes.

Download the Google Authenticator app on your phone/device and scan that QR code OR enter the secret key.

For the remaining questions, press Y when asked to update the .google_authenticator file, Y for disallowing multiple uses of the same token, N for increasing the time-window and Y to enable rate-limiting.

Now you have to tell SSH on your server to use this new method of authentication. Edit /etc/pam.d/sshd:

# vim /etc/pam.d/sshd

Add the following line to the bottom of the file:

auth required pam_google_authenticator.so

Edit the SSHD config file:

# vim /etc/ssh/sshd_config

Make sure the following lines exist and are uncommented in your config file:

PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication yes