Lock down your SSH port/access

The instant a Linux server is connected to a public network it starts getting hit by attackers. There are people out there running programs constantly against IP ranges and they’ve hit your server today a number of times. You need to lock down your ssh access – we’ll show you a couple ways to do this!

First, let’s see who has tried logging into your server today. You can see failed logins by typing the command lastb:

WHOA! That’s a long list right? Let’s show just the last 20 lines of it:

Ok, that’s a little more manageable. But, probably only showing one IP address with 20 attempts. Let’s get a better idea of what’s going on by using awk to show us the total for each IP in reverse sort order..

Now, you can see the top offenders there at the bottom. The number on the left is their login attempts and the number on the right is their IP address.

Ok – now that you can see why you need to lock down access to your server, let’s get on with it!

Locking it down.

There are at least 3 popular actions that Linux administrators take when locking down SSH access.
1. Move the SSH port from 22 to something else
2. Limit SSH access by IP address
3. Usage of SSH keys

Non-standard SSH Port:
First, let’s move SSH to a non-standard port. Edit your /etc/ssh/sshd_config file and look for the following line:

Change that to some other port – we’ll change ours to 2424 by commenting out the ‘Port 22’ line (it may already be commented out) and adding it just below.

Then, restart the sshd service:
(Make sure if you are running a firewall to open this port first!)

Now, when you ssh to your server, you will need to specify port 2424 (or whatever you used):

Limit by IP:
Next, let’s lock down ssh access by IP address. You really only should do this if you have a static IP address that doesn’t change. If you have a dynamic IP address you should skip this part.

If using just iptables for security on your server, you can block access (except from your IP) to the ssh port simply by typing this line as root (change xxx.xxx.xxx.xxx to your iP address and change dport from 2424 to whatever port you are using for SSH. Default is port 22).

If you have multiple IP addresses that you want to allow, run that command with each one.

Ok – so far we have changed the SSH port and we have locked it down to accept connections only from a certain IP address.

SSH Keys:
Next is my favorite one – locking down SSH access by only allowing login via SSH key.

First, on the PC that you are connecting from, generate an SSH key by typing the following at a prompt. You’ll want to be a regular user, not root.

If you like, you can accept all the default answers by hitting [ENTER] at the questions.

That command generated an SSH key so that you can drop the public part of it on any server that you want to connect to. Let’s copy it now and place it on the server!

(highlight/copy the string)

Now, let’s add it to the server. SSH into your server and create the structure for the key files:

Now, edit the new .ssh/authorized_keys file with your favorite editor (vim!) and paste the string from id_rsa.pub into it without leaving any extra spaces, then save it.

Log out of your sever and ssh back in again – look ma, you didn’t have to type your password!

This is only halfway done.. repeat the process of generating a key and pasting it into the authorized_keys file for all of the machines that you want to connect to your server…

Now, let’s tell the server to only accept ssh logins from machines with keys:
Edit the /etc/ssh/sshd_conf file again. Change PermitRootLogin from Yes to without-password, then change PasswordAuthentication from Yes to no.

Restart sshd:

Your server is now much more secure than it was when you woke up this morning!

Please comment below if you used this tutorial and let us know how it went!