Introduction
Secure Shell (SSH) is a protocol used to securely access and manage remote servers. Implementing proper security measures for SSH is essential to protect your server from unauthorized access and potential security threats. This guide will cover steps to secure your SSH server, including adding a new user, disabling root login, changing the SSH port, using SSH keys for authentication, and disabling password authentication.
Step 1: Add a New User
First, create a new user named admin:
adduser adminTry to SSH into the server using the new user:
ssh admin@domain.comStep 2: Disable Root Login
Edit the SSH configuration file to disable root login. Execute these commands as root:
nano /etc/ssh/sshd_configFind and change PermitRootLogin to no:
PermitRootLogin noRestart the SSH service:
systemctl restart sshdTry to log in again as the admin user (do not log out from the current session to avoid being locked out):
ssh admin@domain.comYou should not be able to log in as the root user anymore.
Step 3: Change SSH Port
Allow the new port through the firewall:
ufw allow 1011/tcp
ufw allow 1011/udpEdit the SSH configuration file to change the port:
nano /etc/ssh/sshd_configChange the port number:
Port 1011Restart the SSH service:
systemctl restart sshdTry to log in using the new port (do not log out from the current session):
ssh -p 1011 admin@domain.comAfter successfully logging in with the new port, test the old login method to ensure it is disabled:
ssh admin@domain.comYou should not be able to log in without specifying the new port.
Step 4: Generate SSH Key Pair
On your local machine, rename your .ssh folder for backup, create a new .ssh folder, and generate a new SSH key pair:
mv ~/.ssh ~/.ssh_backup
mkdir ~/.ssh
ssh-keygen -b 4096Press Enter to accept the default options.
Copy the new SSH key to the server:
ssh-copy-id -p 1011 admin@domain.comTry to log in with the new key:
ssh -p 1011 admin@domain.comAfter successfully logging in without a password, you can restore your old .ssh folder and rename the private key file for easy reference:
mv ~/.ssh_backup/id_rsa ~/.ssh/domain.pemLog in using the key:
ssh -i ~/.ssh/domain.pem -p 1011 admin@domain.comTest the login method without the key to ensure it still prompts for a password:
ssh -p 1011 admin@domain.comStep 5: Disable Password Authentication
Finally, disable password authentication by editing the SSH configuration file:
nano /etc/ssh/sshd_configSet PasswordAuthentication to no:
PasswordAuthentication noRestart the SSH service:
systemctl restart sshdTry to log in again (do not log out from the current session):
ssh -p 1011 admin@domain.comYou should not be able to log in without the key.
Verify that login with the key still works:
ssh -i ~/.ssh/domain.pem -p 1011 admin@domain.comSummary
By following these steps, you have effectively secured your SSH server. You’ve added a new user, disabled root login, changed the SSH port, enabled SSH key-based authentication, and disabled password authentication. These measures significantly enhance the security of your server by reducing the attack surface and protecting against brute-force attacks and unauthorized access attempts. Always ensure that you securely manage your SSH keys and regularly update your server’s security configurations to mitigate potential security risks.