Making SSH more secure

There are several ways to make SSH (Secure shell) more secure than it already is and make it harder for attackers to gain entry into your Linux server through it. Root is the ultimate admin user with every privilege imaginable. The first thing is to deny Root from logging into your Linux server through SSH.

Getting SSH

To get started with SSH we need to install SSH server on our computer. To do this on Debian or Ubuntu run this command: (as root or su-)

apt-get install openssh-server

To disable ROOT access from SSH

Change “PermitRootLogin” to “NO” in the /etc/sshd/sshd_config file. Then restart the ssh server by typing in systemctl restart ssh

Change the Port

SSH normally runs on port 22, we know that and the bad guys do too. So let’s get rid of the automated bots and the script kiddies by changing it to something else. Lets choose 8888 (not the one I really chose so don’t get any ideas).

sudo nano /etc/ssh/sshd_config

find the entry called “PORT” and remove the # sign and put in our number of 8888 save it and then restart the ssh server

Don’t use a password

Use a big key that you have stored on your machine and no one else knows. First we need to generate the keys. There will be two of them one of which we are going to share with the server.

you should keep the keys where they are for now we can copy them later. You also have the ability to use a passphrase or press enter to go without one.

The two keys that it generates are:

Public key — id_rsa.pub
Private Key — id_rsa

From the client machine

scp -p (ssh port) ~/ssh/id_rsa.pub username@server-ip: ~/.ssh

On the server

mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

chmod 700 ~/.ssh

chmod 600 ~/.ssh/authorized_keys

change “PasswordAuthentication” line to “NO” in the /etc/sshd/sshd_config file.

Now you can login without a password.

Just these three simple techniques will save you a lot of headaches. Remember to backup your keys to a USB stick or two that you have handy. Never share your private key.