How to secure your (SSH) server on Linux/FreeBSD

If you have to enable remote SSH access to your Linux/UNIX server then you should secure it down by doing a few simple steps, I’d recommend doing the following:-

  • Change the default SSH port.
  • Disable password authentication by using Public key authentication instead.

There are loads of other things you can implement to further lock down your server and various other security utilities you can use but for now this article mainly concentrates on securing SSH access.

Other things you may also want to consider is installing and configuring is an firewall (IPTables/pfSense), denyhosts and rkhunter.

So the first thing you should do, if you don’t already have an SSH key pair, you should generate one on your desktop PC/laptop like so:-

ssh-keygen -c "your_email_address"

Now, copy the public key (the file with the .pub extentsion) to your server, you can use SCP (Secure Copy) for this, like so:-

scp ~/.ssh/id_rsa.pub user@yourserver.com:

Next we need to append the contents of the public key to your authorized_keys file, this can be done by logging onto the server and then running the following commands, the first command will add your desktop’s public key to the server’s list of allowed desktop computers to connect (authorized keys) then the second command will delete the id_rsa.pub file as we no longer need it anymore:-

cat id_rsa.pub >> ~/.ssh/authorized_keys
rm id_rsa.pub

So that’s the first bit done, the next bit is to configure the SSH daemon configuration file; on the server, edit the file using nano, vim or ee etc.

sudo nano /etc/ssh/sshd_config

Now the first step… we’ll enable Public Key authentication on the server, then we’ll restart SSHd and then attempt to connect to the server using our Private key, if that all goes well then we can continue to disable the Password authentication but not until we know its working.. So, with the sshd_config file open, find these lines, at present they may be commented out with ‘#’ or have a different value, make sure they are un-commented and look like so:-

RSAAuthentication yes
PubkeyAuthentication yes

So now, save the file and we’ll restart the SSH server and we’ll try and login using our new private key from our desktop machine…

sudo /etc/init.d/ssh reload
exit

Now we are back on our desktop machine, lets attempt to login like so:-

ssh user@yourserver.com

You should in theory now be asked to enter your passphrase, this will be the passphrase you entered when you created your keypair in the first step of this post. Once you’ve entered that you should then be logged in! – Now we know we have that working we can now disable the standard password authentication… On the server, lets edit the /etc/ssh/sshd_config file again and this time find the following and ensure they are set to ‘no‘ like so:-

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Save the file and we should now be good to go 🙂 – Restart the SSH daemon and then fingers crossed all will work as expected 🙂

In future you’ll now need to have the matching ‘Private key’ in your ~/.ssh/ directory to be able to access the server, any attempts to use password authentication should now fail 🙂