This is a short overview of how to secure the SSH server on a fresh Linux system. We will cover the basics of setting up a robust SSH configuration to access and manage the remote machine later on.<\/p>\n\n\n\n
All the configuration of the SSH server we need to adjust is on the system-wide daemon configuration file “\/etc\/ssh\/sshd_config”<\/p>\n\n\n\n
We will back it up first and then edit it:<\/p>\n\n\n\n
sudo cp \/etc\/ssh\/sshd_config \/etc\/ssh\/sshd_config.bak\nsudo vi \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
Disable Root Login<\/h3>\n\n\n\n
Prohibit the Root user from login through SSH<\/p>\n\n\n\n
PermitRootLogin no<\/pre>\n\n\n\nSpecify Allowed User<\/h3>\n\n\n\n
It’s a good security practice to limit the use of the Root user. Instead we will use a limited user who we add to the sudoers from login through SSH<\/p>\n\n\n\n
AllowUsers user1 user2<\/code><\/pre>\n\n\n\nSet a Login Grace Timeout<\/h3>\n\n\n\n
The server should not wait for more than 60 seconds after a connection request before disconnecting. Change the LoginGraceTime accordingly:<\/p>\n\n\n\n
LoginGraceTime 1m<\/code><\/pre>\n\n\n\nSet Maximum Startup Connections<\/h3>\n\n\n\n
Set up a proper maximum number of concurrent connections to the SSH daemon.<\/p>\n\n\n\n
MaxStartups 2<\/code><\/pre>\n\n\n\nSet Idle Timeout Interval<\/h3>\n\n\n\n
Set a proper idle timeout to avoid an unattended session.<\/p>\n\n\n\n
ClientAliveInterval 300\nClientAliveCountMax 0<\/pre>\n\n\n\nDisable Forwarding<\/h3>\n\n\n\nX11Forwarding no<\/pre>\n","protected":false},"excerpt":{"rendered":"This is a short overview of how to secure the SSH server on a fresh Linux system. We will cover the basics of setting up a robust SSH configuration to access and manage the remote machine later on. Secure the SSH Daemon Configuration File All the configuration of the SSH server we need to adjust… Continue reading How to secure the SSH Server on Ubuntu<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,17],"tags":[27,12,26],"series":[7],"class_list":["post-122","post","type-post","status-publish","format-standard","hentry","category-it-security","category-linux-server","tag-linux","tag-security","tag-ssh","series-linux-server","entry"],"_links":{"self":[{"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/posts\/122","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/comments?post=122"}],"version-history":[{"count":2,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/posts\/122\/revisions"}],"predecessor-version":[{"id":124,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/posts\/122\/revisions\/124"}],"wp:attachment":[{"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/media?parent=122"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/categories?post=122"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/tags?post=122"},{"taxonomy":"series","embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/series?post=122"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}