Currently, Virtual Private Server (VPS) is commonly used alongside the advancement of cloud computing. It has been deployed for various reasons, like web hosting servers, game servers, proxy servers, software development, and many more. One of the most used protocols to perform any administrative tasks is SSH (Secure Shell), which can be easily accessed from the Command line Interface (CLI).
SSH is the successor of Telnet, which was previously used for the same reason. As the name implies, SSH uses encryption to establish a secure connection which is the main differentiator from Telnet. Even so, this alone cannot guarantee that the VPS will be safe. By default, connection via SSH requires a password for authentication which is mostly targeted by the attacker.
Why is password based authentication not recommended?
Password based authentication actually has a significant security vulnerability. This type of authentication is very vulnerable to types of attacks such as brute force. Another thing you shoul consider is, by default the protocol may allow authentication for a root account which is extremely dangerous once the attacker somehow successfully compromises the server by using this account. Therefore, it is highly recommended to replace the authentication method with a more secure way as we will discuss and at the same time restrict root account access from this protocol.
How do I secure my SSH server?
Most of the methods we will use involve a file called sshd_config which is
located in the /etc/ssh. To edit the content, you need to use any text
editor like vim or nano. In this example, we use vim, so you can use the
command below.
sudo vim /etc/ssh/sshd_config
The file contains the SSH service (SSH daemon) configuration. As you can see,
almost every line of this file has a # symbol at the beginning. This symbol
indicates that the command in that line is not active. To activate certain
line, we need to remove this # sign.
To harden the SSH, there are several steps that need to be done.
Change default ports
By default, SSH will use port 22. You can change it to another port that you want by changing the line below. However, make sure the port you change is not in use by another application. For this example, we choose 3299 as our port.
From:
#Port 22
To:
Ports 3299
It is not as important as the other one we are going to do. If you are
changing this, save it and restart the service using this command sudo systemctl restart ssh , you need to define the target port while using ssh
like the command below.
ssh <username@host_ip_address> -p 3299
For this explanation, we are not going to change it and let it that way so we don’t have to define the port.
Disable root login
As stated, this one is very important to do because by preventing access with a root account on SSH, we can protect the server from possible damage that might be caused if this root account falls into the wrong hands. To disable login with the root account, all you need to do is change the line below.
From:
PermitRootLogin yes
To:
PermitRootLogin no
Creating public and private keys
Generate RSA keys
If you are using Linux, you can use the following command to generate public and private keys with rsa encryption.
ssh-keygen -t rsa
The prompt will then appear, asking where to save the file. To save in the default location, just hit enter. Then, the next prompt will appear asking for the passphrase. You can set the passphrase you want. Think of it like the additional security feature such as two-factor authentication. You can set the passphrase or not which is optional. If not, you can simply press enter.
Once generated, the private key will be stored in a file named id_rsa. The
public key will be stored in the file name id_rsa.pub. Both can be found in
the location ~/.ssh/.
Send public key to the remote VPS
To easily send a copy of our public key, you can send it via terminal using the command below. After that, you will be asked to enter the password that was set on the VPS.
ssh-copy-id <username@host_ip_address>
If you have successfully done this, you can enter the VPS without needing to enter a password. You can try it with the following command.
ssh <username@host_ip_address>
Make sure this step is done correctly until you can access the server without needing to enter a password anymore because in the next step we will disable the password login feature.
Disable Password Authentication
For the reason you no longer need a password as well as security concern, you
can disable the password login feature so that the server will be safe from
forced entry attempts. To do that, you can go back to the sshd_config
configuration just like before and replace this line.
From:
PasswordAuthentication yes
To:
PasswordAuthentication no
You need to be very careful to do this because then the only way to be able to access the server is by using the private key and public key pair that we copied earlier. For this reason, you should not lose the private key that you created earlier. If this private key is somehow lost, you will not be able to access the server.
Restarting the SSH service
After you make sure everything is correct, you need to restart the SSH service to take effect with the following command.
sudo systemctl restart ssh
It also needs to be reminded again, make sure you have generated keys before turning off the password authentication feature and resetting the service.
Conclusion
There are so many ways you can do to secure your SSH server. We have seen how to change the default port, disable root login, create public and private keys, and disable password authentication. We have also learned how to edit the sshd_config file and restart the SSH service. Hopefully this article would be useful for us in protecting our VPS from unauthorized access and malicious attacks and harden SSH server to improve security.