SSH is how most administrators connect to their servers. It is also one of the most commonly attacked ports on a Linux Server. If you followed my previous tutorial about how to install fail2ban, you’ve probably noticed that you receive many emails about failed attacks. In this tutorial, I’ll show a few more steps that can be taken to lock down the SSH daemon and your server even further.
Before we begin, I’d like to show you a few stats about your server. The following commands will show you some interesting information about the brute force attacks you’ve been noticing on your server.

First – Show the 5 most recently attacked user accounts on your system. In this list you may notice user accounts that don’t even exist on your system. That is because someone is trying automated attacks against you:

lastb | awk '{print $1}' | sort | uniq -c | sort -rn | head -5

Next – Show the 5 most attacked accounts. Again, user accounts that don’t exist may be in this list.

awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $1}' /var/log/secure* | sort | uniq -c | sort -rn | head -5

Finally – Show the 5 most frequent attacker IP addresses. These are addresses that attempt to connect to your server.

awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $3}' /var/log/secure* | sort | uniq -c | sort -rn | head -5

Securing SSH

Now that you can see what’s coming at your server, what can you do about it? Below are a few steps you can take to secure SSH.

vi /etc/ssh/sshd_config

This is the main configuration file for SSH. All of our changes will be in here.

The first setting we are looking for is Protocol. We want this changed to a 2. Most modern Linux Distributions already have this by default, but some may still allow the first version of the protocol to connect. We don’t want this.

Protocol 2

Next, we are going to deny root the ability to log in via SSH. Root doesn’t need direct access, because we have already set up sudo. Find the PermitRootLogin setting and change it to no.

PermitRootLogin no

The next step is to limit the amont of time an unauthenticated session can hold open a connection. By default this is two minutes. This is way to long. Find the GraceLoginTime setting and change it to a more reasonable time. The value listed here is in seconds. The example below allows 30 seconds for a user to enter their password before the connection is closed.

LoginGraceTime 30

The next one is to change the SSH port. It should be noted that this step brings no additional security to your system at all. It will, however, reduce the number of random, automated attacks that hit your server. Again, it will NOT bring additional security to your system. Find the Port setting and change it to another port. Common practice is to raise this above 1024, as everything below that is reserved for other programs.

Port 22222 

Now when you connect to your server, you will need to modify your connection port to use 22222.

Next, we can set up SSH to only allow whitelisted users or groups. The following will only allow users ‘mary’, ‘john’ and any user that starts with ‘joe’ to conenct. This line gets placed at the end of the file:

AllowUsers john mary joe*

This setting, alternatively, will allow all users from the ‘sshusers’ group to login

AllowGroups sshusers

Finally, we can only allow users to log in using public/private key pairs. How to set this up is beyond the scope of this tutorial, so if you don’t know how to do so, do not change this setting:

PasswordAuthentication no

Save and exit this file. Now we restart sshd and you are good to go.

Note: Do not log out of your active SSH session after running this command until you have tested that you can connect. If you do and something does not work, you will be locked out of your server.

service sshd restart

If you are able to log in using another Putty or SSH session, your changes have worked. Remember when you log in, if you changed your Port, you need to specify the new port.