How To Harden OpenSSH on Ubuntu 20.04

/ Category: Guide, OpenSSH, Tutorials, Ubuntu, Ubuntu 20.04 / Comments: None

how to harden openssh on ubuntu 20.04
Spread the love

OpenSSH is one of the most popular tools that uses SSH protocol for secure system administration, file transfers, and other communication across the Internet. It is free and used by system administrators to manage remote systems. OpenSSH runs on port 22 and it is the first target of a hacker. So you may need to harden your OpenSSH server to protect it from hackers.

In this tutorial, we will show you different ways to harden an OpenSSH server.

tips on how to harden openssh on ubuntu 20.04

Prerequisites

  • A server running Linux operating system.
  • Access to the root user account (or access to an admin account with root privileges)

Log in to the Server & Update the Server OS Packages

First, log in to your Ubuntu 20.04 server via SSH as the root user:

ssh [email protected]_Address -p Port_number

You will need to replace ‘IP_Address’ and ‘Port_number’ with your server’s respective IP address and SSH port number. Additionally, replace ‘root’ with the username of the admin account if necessary.

Before starting, you have to make sure that all Ubuntu OS packages installed on the server are up to date. You can do this by running the following commands:

apt-get update -y
apt-get upgrade -y

1 – Change the Default SSH Port

By default, OpenSSH listens on port 22. So it is recommended to change the default port to avoid automated attacks on your server.

You can change the SSH default port by editing the file /etc/ssh/sshd_config:

nano /etc/ssh/sshd_config

Find the following line:

Port 22

And, replaced it with your desired port:

Port 8087

Save and close the file then restart the SSH service to apply the changes:

systemctl restart sshd

Now, verify the SSH connection using the following command:

ssh -p 8087 [email protected]

2 – Disable SSH Root Login

By default, every Linux system has a root account so it is the main target of hackers. So it is a good idea to disallow root user to login via SSH.

First, create a user and add it to sudo group with the following command:

adduser username
usermod -aG sudo username

Next, verify whether a new user can login via SSH. Then, edit the SSH default configuration file:

nano /etc/ssh/sshd_config

Find the following line:

PermitRootLogin yes

And, change it with the following:

PermitRootLogin no

Save and close this file. Then restart SSH service for the changes to take effect.

systemctl restart sshd

3 – Disable Password Authentication and Use Public Key Authentication

The attacker has to figure out the username and trying to brute force the password. So it better to use public key authentication instead of password authentication. So the only user that has private key can login to your server.

You can disable the password authentication and enable the key-based authentication by editing the file /etc/ssh/sshd_config:

nano /etc/ssh/sshd_config

Change the following lines:

PasswordAuthentication no
PubkeyAuthentication yes

Save and close the file. Then restart SSH service for the changes to take effect.

systemctl restart sshd

4 – Restrict SSH Access Using iptables

Iptables is a firewall tool used for filtering incoming and outgoing traffic to your server. You can create an Iptable rule to allow only a specific IP address or subnet for incoming SSH connections. This way you can block SSH connections for other users.

For example, to allow incoming SSH connection only for IP 192.168.0.100, run the following command:

iptables -A INPUT -p tcp -s 192.168.0.100 -dport 22 -j ACCEPT

Next, save the Iptables rules with the following command:

iptables-save

5 – Define IP Address Allow list

You can also define and set up an IP address allow list to restrict incoming SSH connection based on IP address. This will reduce the risk of a breach in the event when your password is leaked.

You can setup IP address whitelist by editing the SSH default configuration file:

nano /etc/ssh/sshd_config

To allow a single IP address, add the following line:

AllowUsers *@192.168.0.100

To allow a whole subnet, add the following line:

AllowUsers *@192.168.0.0/24

To allow multiple IP addresses, add the following line:

AllowUsers *@192.168.0.100 *@192.168.0.101 *@172.16.0.124

If you want to allow only a specific user to a specific IP address, add the following line:

Match User user1
  AllowUsers [email protected]

Save and close the file when you are finished then restart the SSH service to apply the changes:

systemctl restart sshd
tips on how to harden openssh on ubuntu 20.04

Of course, you don’t have to secure SSH on Linux if you use one of our Managed Hosting services, in which case you can simply ask our expert Linux admins to configure this for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post on how to harden OpenSSH on Ubuntu, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

Be the first to write a comment.

Your feedback