Skip to main content

How to make SSH more secure

What is SSH?

SSH (Secure Shell) is a networking protocol that allows a user to be able to connect to a remote computer over an insecure network. SSH is a great way to provide encrypted communication between two computers and prevents eavesdropping. You can perform different tasks with SSH, like transferring a file to a remote computer, or executing commands.

By default, SSH uses a password for authentication, which can leave you open to a brute force attack. We will be updating the default configuration of SSH to make it more secure.

 

Changing the Default Port

SSH uses port 22 by default. Changing the port number won't stop an attacker from doing a port scan to find our new port number, but it could slow them down.

Under a Linux system (which is commonly used on servers), you would edit the config file under /etc/ssh/sshd_config.

You can use nano to edit the file: sudo nano /etc/ssh/sshd_config

(I'll be using vim instead of nano)

Just edit the #Port 22 by removing the pound sign (#hashtag) and changing the number. The hashtag just means that anything after that is a comment, and can be ignored. You can do something like: Port 444 or Port 3000.

When changes are made to the config file, the service has to be restarted. We can use the command: sudo service sshd restart 

When connecting to your machine, it'll look like:

Creating SSH Keys

SSH keys can be used in place of password authentication. When creating our keys, we create a pair of 2 keys. One of our keys is a private key, which is stored on the machine where the keys were created, and is meant to be kept in a secure environment. The other is a public key. This key is copied onto the machine you want to connect to.

When attempting to make a connection, the remote computer will use your public key to create an encrypted message that is sent to your computer. The encrypted message can be decrypted with your private key.

Use the command ssh-keygen to create the keys. The keys can be created with or without a password.

To copy the keys to a remote computer, use the command

ssh-copy-id username@ipAddress -p portNumber

 

Now when I login in with SSH, it will allow me to login without a password: 

Removing Password Authentication

Since we will be using SSH keys, we can disable password authentication.

We'll have to edit the config file again with: sudo nano /etc/ssh/sshd_config 

Look for PasswordAuthentication, remove the hashtag, and change the yes to no: 

After saving the changes, restart ssh with sudo service sshd restart.

I'll try to login with a different computer to see if things are working as it should.


 The login attempt was denied since this computer has not generated the public key for our remote computer to use like we did earlier.


Disable Root Login

Logging in as root is not recommended. You should login as a regular user and use sudo to perform tasks that require root privileges. We'll edit the config file again with sudo nano /etc/ssh/sshd_config.

Edit the PermitRootLogin line to look like this:

And restart SSH: sudo service sshd restart.

 

There are other ways of making SSH more secure, but these are some of the most common ways of doing so.

Comments

Post a Comment

Popular posts from this blog

Download Files With JDownloader: A Basic Guide

 JDownloader is a download management tool that has many features, such as allowing users to download multiple files from websites, setting bandwidth limitations, automatically extracting archives, and much more. This blog post will be a basic rundown of the software's functionality, and not an in-depth guide. Let's get started.   Downloading JDownloader JDownloader has a few different download options for various operating systems, such as Windows, Linux, MacOS, and a few other options. Pick the one that corresponds with your operating system. - Link to downloads page Since I'm using Linux Mint , I decided to check if it was available as a Flatpak . Luckily for me, it was! I installed it with the following command: flatpak install org.jdownloader.JDownloader   Starting Up JDownloader This is what the program looks like once it starts up: It can look confusing and overwhelming with all the text and buttons, but I'll guide you through some of the options. We are curren...
Post a Comment
Read more