It’s important you always keep SSH secure, you should always go through your SSH settings and firewall settings even if you don’t let anyone access your server trough SSH from internet.
Introduction
Validated on
This article have been tested and known to work, but not limited to the following versions
- Ubuntu 24.04
- Ubuntu 22.04
Prerequisite
- Sudo or root access to your Ubuntu Server
- SSH access to your Ubuntu Server
- SSH software
- macOS, you can use Terminal
- Linux, you can use Terminal
- Windows, I do recommend you to use PuTTY
Good to know
- Nano commands
- To save a file after you have made changes press CTRL+X and then Y
- Go to the end of the file press CTRL+W and then CTRL+V
- Search for text in the file, press CTRL+W and then write what you want to search for then press enter
Configure, manually
-
First what we need to do is to change the default port number, this is to just make it a little harder for bots to do a port scan. It’s always a good idé to make a backup of your configuration before we start.
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
-
Now it’s time to change some of the settings in the configuration, one of them is the standard SSH port 22 to something else. So make sure to allow the new port number in your firewall if you have any before you’re doing this.
sudo nano /etc/ssh/sshd_config
-
Just to make it a little harder to guess our SSH port for boots and humans we can change it, I have only taken 2299 as an example. Replace it with the port number you want.
Port 2299
-
You should never login as root through SSH, we can use sudo from our user instead if we need root, so make sure to disable it.
PermitRootLogin no
-
We don’t want anyone or anything to just continue guessing our username and password so we will limit it to 4 tries within a period of 5min.
MaxAuthTries 4
-
We can set a limit for how long the user has to authenticate before they will be disconnected, we don’t want people to just open a session and idle without logging in.
LoginGraceTime 1m
-
It’s also a good idea to limit the amount of concurrent sessions.
MaxSessions 3
-
We don’t want ghost connections, that’s connections that don’t have an active user in it. So, we will set ClientAliveInterval 60 and ClientAliveCountMax 5 this means that every 60 seconds the server will send a package to the client and if it doesn’t get a response, it will retry 5 times. If it’s no response after that the server will drop the connection
ClientAliveInterval 60 ClientAliveCountMax 10
-
Blocking authentication with blank password is a good idea.
PermitEmptyPasswords no
-
Verbose banners are good sometimes but it will display too much information about your system that you can look after in other ways, so let’s disable it.
Banner none
Validate
-
Almost done, we need to validate the configuration to make sure it’s working.
sudo sshd -t
-
If everything is OK then you will not get any return output, it will only write output if you have some issues with the configuration.
Reload sshd
-
So now time for the final step, for all of the changes to take effect you need to restart the SSH service. And once again make sure you have opened the new SSH port in your firewall if you have changed it.
sudo systemctl restart ssh
-
You can check status of the SSH service if you want to make sure it has started.
sudo systemctl status ssh
Limit SSH access
You can also limit SSH access in the configuration file so only specific users, specific IP’s or specific users from a specific IP can connect.
-
To limit access to specific IP, add the line below. You can add multiple IP’s by separating them with space
AllowUsers *@YOURIP01 *@YOURIP01
-
To limit access to specific user
AllowUsers YOURUSER
-
To limit access to specific user from specific IP
AllowUsers YOURUSER@YOURIP
Setup MFA
Configure, scripted
If you’re like me and hate doing things manually, I have made a script to perform everything in this article.
I have published the script in my script repository at GitHub so you can look at it and see what it does.
How to execute the script
-
Download the script
sudo wget https://github.com/rstolpe/script-stolpe.io/blob/main/how-to/ubuntu-server/secure_ssh.sh
-
Allow the script to bee executed
sudo chmod +x secure_ssh.sh
-
Run the script
sudo ./secure_ssh.sh
Conclusion
I’ll keep this guide up to date and keep adding new content to it as this is just the basics, you can do so much more to secure SSH. But this is a good starting point.