OpenSSH (Open Secure Shell) is a suite of secure network connectivity tools that provides an encrypted replacement for protocols like Telnet and FTP. The server component,
sshd, lets you connect to a machine remotely to run commands securely.
Prerequisites
- A Linux distribution (Ubuntu, Debian, CentOS, etc.).
- Root access or
sudoprivileges.
Step 1: Installing the OpenSSH server
On many server distributions, OpenSSH is already installed. You can check with systemctl status sshd.
If it is not, install it:
# On Debian / Ubuntu
sudo apt-get update
sudo apt-get install -y openssh-server
# On CentOS / RHEL
sudo yum install -y openssh-server
Step 2: Managing the SSH service
Once installed, the service (named ssh or sshd depending on the distribution) should start automatically.
# Start the service (if needed)
sudo systemctl start sshd
# Enable the service at system startup
sudo systemctl enable sshd
# Check the status
sudo systemctl status sshd
Step 3: Configuration and Hardening
The default configuration is functional, but not optimal in terms of security. The main configuration file is /etc/ssh/sshd_config. Back it up before modifying it.
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo nano /etc/ssh/sshd_configHere are the most important changes to consider:
Disable root access
It is strongly recommended not to allow direct login by the root user. Log in first with a standard user, then use sudo.
PermitRootLogin noUse key-based authentication only
This is the most effective security measure. It disables password login, making brute-force attacks impossible. Make sure you have configured your SSH key before enabling this option!
PasswordAuthentication no
PubkeyAuthentication yes
Change the default port
Changing the default port (22) to another one (e.g. 2222) can significantly reduce the "noise" from bots that scan port 22.
Port 2222Warning: If you change the port, don't forget to allow it in your firewall!
Restrict users
If only a few users need SSH access, you can specify them explicitly.
AllowUsers user1 user2Step 4: Apply the new configuration
After modifying the sshd_config file, test the syntax and restart the service.
# Test the syntax of the configuration file
sudo sshd -t
# If there are no errors, restart the service
sudo systemctl restart sshd
Your SSH server is now configured with a solid security baseline.
Step 5: Configure the firewall
Don't forget to allow your SSH port (the new one if you changed it) in your firewall.
# For UFW (port 2222)
sudo ufw allow 2222/tcp
sudo ufw reload
# For firewalld (port 2222)
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload
When you modify the SSH configuration, always keep your current session open. Open a new terminal window to test the connection with the new settings. If the new connection fails, you can fix the error in your initial session. If you close your session after a bad configuration, you may no longer be able to reconnect!
Conclusion
Properly configuring and securing the OpenSSH server is fundamental to administering any Linux server. By disabling root access and favoring key-based authentication, you eliminate the vast majority of automated attack risks.
Comments