Need help?

Our experts have had an average response time of 12.14 minutes in September 2021 to fix urgent issues.

We will keep your servers stable, secure, and fast at all times for one fixed price.

How To Harden SSH Server On Ubuntu – Effective Hardening Tips

by | Jun 28, 2020

Have you been confused about how to harden the SSH server on Ubuntu?

As a part of our Server Management Services, we help our customers to secure their SSH servers by performing SSH hardening.

Server SSH hardening improves the level of protection and the server becomes less vulnerable to hacking.

In this Guide, we ‘re presenting the best SSH hardening tips from our realistic experience.

Best ways to Harden SSH Server on Ubuntu

 

Vulnerabilities in the Secure Shell (SSH) protocol can be minimized via SSH hardening.

Why is SSH hardening so Important?

If the SSH service is not sufficiently secure, the chance of hacking would increase exponentially. If you don’t follow best practices to harden the SSH server properly, the server can still be targeted and broken.

Here, let’s see how our Support Engineers harden the SSH server on Ubuntu.

 

1. Switch Default SSH Port

 

The default port of SSH service is 22.  The majority of hackers who are looking for OpenSSH launches brute force attacks against the default SSH port. Consequently, the load on the server may increases which leads to the server down.

However, the Ubuntu server allows customizing SSH port for the server. This protects the server against automated attacks.

 

How to change the port on the Ubuntu server

 

1.   Firstly, we connect to the server via SSH.

2. Then, we open the configuration file /etc/ssh/sshd_config/ and disable the line that begins with Port 22. After that, we, add a new port line and specify the desired port to bind SSH.

 

3. After making the above changes, we restart the SSH daemon for the changes to get reflected.

 

2. Disable Root Login

 

The root user has full privileges on Linux server distributions. The hackers attempt to break the password of root user with brute force attacks. If the server gets compromised, the hacker can access all the data.

So, the server security increases when disabling the root user. To disable the root user, we follow the below steps,

1. Initially, we SSH to the server as root.

2. Then, we open SSH main configuration file, /etc/ssh/sshd_config, and change PermitRootLogin  yes  to PermitRootLogin  no.

# Authentication:
PermitRootLogin no
MaxAuthTries 6

3. Finally, we restart the SSH service.

 

3. Limit max authentication attempts

 

A brute force attack is a common hacking method that attempts to crack a password or username.  The effective way to protect the server from brute-force attacks is to limit the number of attempts against the user.

So, we tweak the MaxAuthTries setting in the SSH main configuration file, /etc/ssh/sshd_config,

MaxAuthTries 6
MaxSessions 10

 

4. Disable Password-Based Logins

 

SSH keys authentication provides an additional security layer that disables the use of the server password. So, this type of authentication ensures that passwords need not be sent over the network, and SSH keys symbolize the passwords instead.

Also, this is another way to keep the server safe from brute-force attacks.

Before enabling SSH keys authentication, we check if SSH key-based authentication is working for the account that has access to the server.

Therefore, we do the below  steps to enable  SSH keys authentication:

1. We SSH to the server as root.

2. Then, use a text editor to open the sshd_config file.

vi /etc/ssh/sshd_config

3. Look for the line that says PasswordAuthentication and change to PasswordAuthentication no.

4. Finally, we save the changes and restart the SSH service to apply the changes.

 

5. Block SSH Access Using IPtables

 

IPtables is a very powerful security tool for monitoring/filtering incoming and outgoing traffic to the server. Based on the defined rules IPtables block unwanted traffic. It also protects against Denial of Service attacks (DoS).

So, we will set firewall rules to restrict the incoming SSH traffic by accessing the server log.

 

[Need help with SSH hardening on Ubuntu – Our Support Engineers will help you.]

 

Conclusion

In short, SSH hardening improves the level of protection and the server becomes less vulnerable to hacking. Today, we saw 5 best ways to Harden SSH Server on Ubuntu and how our Support Engineers harden the SSH server.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF