SSH (Secure Shell) is one of the safest options for remote login on Linux computers. However, there is always room for improvement to enhance the security of this technology.
Although I have been using SSH for many years, I am aware of the various threats and the number of attempts made to access my server during this period. I want to ensure that all Linux users are aware of the necessary security measures they should implement on their computers to enhance system security.
Of course, the best option is a VPN connection, which I have described in detail at this link.
Install Fail2ban
With Fail2ban, you have the ability to block any unwanted traffic to your server. Fail2ban accomplishes this by creating a jail, known as “jail.local,” where it stores unauthorized SSH logins for a certain duration of time. Typically, the jail files (jail.local) can be found in the /etc/fail2ban/ directory and may resemble the following example:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
bantime = 28800
ignoreip=127.0.0.1
For Debian Linux install: sudo apt-get install Fail2ban -y
For Fedora Linux: sudo dnf install Fail2ban -y
Change the default port
The default SSH port is port 22, but it is advisable to change this port for security reasons. This can be done by modifying the /etc/ssh/sshd_config configuration file. I recommend using ports that are different from the default ones, such as 2222 or 2124. By doing so, it will be difficult for potential attackers to identify the port.
Block users with empty passwords
You probably don’t have users with empty passwords in your system, but it’s better to be safe than sorry. If someone discovers that you have such a user, they will be able to easily gain access to your computer. To prevent this situation, make sure to change the /etc/ssh/sshd_config file:
#PermitEmptyPasswords no
Change this line to: PermitEmptyPassword no
Save and close the file, then restart SSH.
Limit logins to specific IP addresses
It is good practice to limit the IP addresses that can log into your system. If you only have one person who will connect remotely to the server, assign him or her an IP number in the /etc/hosts.allow file.
Open the file in your favorite editor and add the lines at the bottom:
sshd: 192.168.1.62
If you have more users, add lines
sshd: 192.168.1.62, 192.168.1.11, 192.168.1.12, 192.168.1.13, 192.168.1.14
Save and close the file.
Use SSH key authentication
The importance of SSH key authentication cannot be overstated. I’ve already shown how this technique is set up in another article , so be sure to read that piece and implement this tactic. When combined with Fail2ban, SSH key authentication is a great way to prevent unwanted SSH logins.
Five simple ways to secure SSH on both Linux desktops and servers. Just because the word secure appears in SSH doesn’t mean it should be viewed as a means to a secure end. With a little extra configuration, your SSH logins will be better protected from bad actors who roam the Internet looking for access to systems.