Ubuntu – How to harden an SSH server

Securityssh

What measures can/should I take to make sure that security around my SSH server is absolutely impermeable?

This will be community wiki from the start, so lets see what people do to secure their servers.

Best Answer

Use public/private key pairs for authentication instead of passwords.

  1. Generate a passphrase-protected SSH key for every computer that needs to access the server:

    ssh-keygen

  2. Permit public-key SSH access from the allowed computers:

    Copy the contents of ~/.ssh/id_rsa.pub from each computer into individual lines of ~/.ssh/authorized_keys on the server, or run ssh-copy-id [server IP address] on every computer to which you are granting access (you'll have to enter the server password at the prompt).

  3. Disable password SSH access:

    Open /etc/ssh/sshd_config, find the line that says #PasswordAuthentication yes, and change it to PasswordAuthentication no. Restart the SSH server daemon to apply the change (sudo service ssh restart).

Now, the only possible way to SSH into the server is to use a key that matches a line in ~/.ssh/authorized_keys. Using this method, I don't care about brute force attacks because even if they guess my password, it will be rejected. Brute-forcing a public/private key pair is impossible with today's technology.

Related Question