Free AI web copilot to create summaries, insights and extended knowledge, download it at here

Abstract

dmin privileges on the server, which is something we never want an attacker to get a hold of. Instead of accessing your server with root, you should create a new user and give it <code>sudo</code> access. You can add a user to the sudoer group with <code>usermod -aG sudo newuser</code>, where “newuser” is the username of the account.</p><p id="251f">Then, you will want to disable the actual root account from being accessed. In the same <code>/etc/ssh/sshd_config</code> file that we disabled the blank passwords in, add the line <code>PermitRootLogin no</code>. Again, if it exists already, just change it from <code>yes</code> to <code>no</code>.</p><h1 id="d15d">Change the default port</h1><p id="bc0b">When an attacker wants to try to gain access to a server via SSH, they will often scan all devices on the internet for the open port 22, which is the default SSH port. One trick to prevent your device from showing up here is to change the default port that SSH operates on.</p><p id="46cc">In our <code>sshd_config</code> file, add <code>Port XXXX</code> where “XXXX” is the port value that you want to use. This will work as long as the port number you select isn't already being used by another service. Once you change the port number, you will have to restart your SSH service in order for the changes to take effect. Do this with <code>service sshd restart</code>.</p><p id="86c2">While this doesn't completely prevent an attacker from discovering your device, it makes it more difficult to be found.</p><h1 id="1413">Use public/private keys</h1><p id="bed1">One last security measure you can take to prevent an attacker from gaining access to your server is by using a public/private key pair for authentication. This method is an alternative to logging in with a username/password combination.</p><p id="06cd">First, o

Options

n your client machine, you will want to run <code>ssh-keygen -t rsa</code>. Follow the steps to select the directory the keys will be saved in, and if you want to add a password for the private key. Once the process is complete, it will have generated an <code>id_rsa</code> (private key), and <code>id_rsa.pub</code> (public key).</p><p id="54a9">Next, you want to copy the SSH public key to the server, which can be done with <code>ssh-copy-id</code>. Alternatively, you can use <code>scp</code> to copy the public key as well. Place the <code>id_rsa.pub</code> in the <code>/.ssh/authorized_keys</code> directory and set its permissions with <code>chmod 600 /.ssh/authorized_keys</code>.</p><p id="6d4c">Finally, we can disable server login via password, so that only logins with public/private key authentication are allowed. We can do this in the same <code>sshd_config</code> file by adding/changing the line <code>PasswordAuthentication no</code>. Now, when you login, you won’t be asked for your password because the authentication is coming from the public/private key pair.</p><p id="d7af">You can follow the steps <a href="https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-2">here</a> as well if you would like more information on setting up the SSH keys.</p><h1 id="d7d6">Takeaways</h1><p id="1d62">SSH can be a very useful protocol to help with communication between devices. However, if configured insecurely and improperly, SSH can be the perfect entryway for a malicious actor to gain access to your network. If you follow the steps outlined above, you’ll no longer have to worry about a hacker taking over your personal data. This guide is meant to be simple and straightforward — I hope these tips help you secure your servers and eliminate your fear of malicious attackers!</p></article></body>

How To Securely Configure SSH On Linux Servers

SSH best practices to keep yourself protected

Secure Shell, commonly referred to as SSH, is a cryptographic protocol used to secure communication between two hosts over a network. SSH is useful because it allows for secure communication, even when the network may be insecure.

Here are some best practices for securing your SSH connection and preventing unauthorized users on your network.

Use a strong username/password combination

Having an easy-to-guess password is one of the quickest ways to let someone gain access to your server (or any device, for that matter). For example, “123456” or “password” are strongly advised against because they are too easy to guess. An attacker can attempt to brute force your device by trying many of these ill-advised, common passwords — a strong password will stop this from succeeding.

Disable empty passwords

Another security measure that should be taken is to disable an empty or blank password. On your server, open the /etc/ssh/sshd_config file in your text editor of choice and add the line PermitEmptyPasswords no. If it exists already, simply change it from yes to no. This disables blank passwords, which are just as bad as weak ones.

Disable root login

The root user has admin privileges on the server, which is something we never want an attacker to get a hold of. Instead of accessing your server with root, you should create a new user and give it sudo access. You can add a user to the sudoer group with usermod -aG sudo newuser, where “newuser” is the username of the account.

Then, you will want to disable the actual root account from being accessed. In the same /etc/ssh/sshd_config file that we disabled the blank passwords in, add the line PermitRootLogin no. Again, if it exists already, just change it from yes to no.

Change the default port

When an attacker wants to try to gain access to a server via SSH, they will often scan all devices on the internet for the open port 22, which is the default SSH port. One trick to prevent your device from showing up here is to change the default port that SSH operates on.

In our sshd_config file, add Port XXXX where “XXXX” is the port value that you want to use. This will work as long as the port number you select isn't already being used by another service. Once you change the port number, you will have to restart your SSH service in order for the changes to take effect. Do this with service sshd restart.

While this doesn't completely prevent an attacker from discovering your device, it makes it more difficult to be found.

Use public/private keys

One last security measure you can take to prevent an attacker from gaining access to your server is by using a public/private key pair for authentication. This method is an alternative to logging in with a username/password combination.

First, on your client machine, you will want to run ssh-keygen -t rsa. Follow the steps to select the directory the keys will be saved in, and if you want to add a password for the private key. Once the process is complete, it will have generated an id_rsa (private key), and id_rsa.pub (public key).

Next, you want to copy the SSH public key to the server, which can be done with ssh-copy-id. Alternatively, you can use scp to copy the public key as well. Place the id_rsa.pub in the /.ssh/authorized_keys directory and set its permissions with chmod 600 /.ssh/authorized_keys.

Finally, we can disable server login via password, so that only logins with public/private key authentication are allowed. We can do this in the same sshd_config file by adding/changing the line PasswordAuthentication no. Now, when you login, you won’t be asked for your password because the authentication is coming from the public/private key pair.

You can follow the steps here as well if you would like more information on setting up the SSH keys.

Takeaways

SSH can be a very useful protocol to help with communication between devices. However, if configured insecurely and improperly, SSH can be the perfect entryway for a malicious actor to gain access to your network. If you follow the steps outlined above, you’ll no longer have to worry about a hacker taking over your personal data. This guide is meant to be simple and straightforward — I hope these tips help you secure your servers and eliminate your fear of malicious attackers!