This article or section lists commands or instructions which could potentially damage your system. Please ensure you understand the commands or instructions you are running or following before you run or follow them.
Best SSH Security Practices
The best SSH practices can be summarized into two main principles:
- Keeping unauthorized users out of your system.
- Making sure potential attackers don't even know your system exists.
This guide will teach you the best SSH security practices.
SSH Programs: Dropbear vs OpenSSH
There are two primary SSH programs used on Linux/Unix-based systems: Dropbear and OpenSSH. In this guide, we will focus on OpenSSH.
Installing SSH
Installing SSH varies by system. Below are common package managers where you can download SSH:
Debian/Ubuntu-based systems:
sudo apt install openssh-server
Red Hat/CentOS/Fedora-based systems:
sudo dnf install openssh-serverArch Linux-based systems:
sudo pacman -S opensshOpenSUSE-based systems:
sudo zypper install opensshmacOS (via Homebrew):
brew install opensshSecuring the OpenSSH Server
Changing the Port
By default, SSH runs on port 22. While leaving it on port 22 is acceptable, your system will be easily detected by port scanners as running SSH. To mitigate this, you can change the port.
The SSH configuration file is typically located at /etc/ssh/sshd_config and is usually owned by the root user. To edit it, you must open it as root, using either sudo or doas.
Once you open the sshd_config file, you should see the following line:
#Port 22To modify the port, uncomment the line by removing the `#` at the beginning and then change the 22 to any number between 100 and 65534. You will need to uncomment any line you change for it to come into effect.
For example:
Port 2345Restart the SSH service. Use the appropriate command for your system:
sudo systemctl restart sshd # For systems using systemd
sudo service ssh restart # For older systems or systems using openrcOnce the change is made, you have successfully modified the port. To log in using the new port, use the following command:
<username>@<address> -p 2345Key Authentication
Key-based authentication is a much safer alternative to using a password. Instead of entering a password to log in, you'll use a key pair: a private key that stays on your system and a public key that you store on the server.
How Key Authentication Works
Imagine you have a door with a lock. The private key is like your physical key, while the public key is the lock on the door. When the correct key is inserted, the door unlocks. This is essentially how key authentication works.
- Prevents brute-force attacks.
- Allows passwordless login (like Single Sign-On).
- Requires each user to have a unique key pair.
Setting up Key Authentication
Generating the Key Files
1. On any Unix/Linux system, type the following command:
ssh-keygen2. You will be prompted to specify where to save the key files:
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/name/.ssh/id_ed25519):Example:
Enter file in which to save the key (/home/name/.ssh/id_ed25519): /home/name/Desktop/keyThis will save both the public and private key files on your desktop under the name key.
3. You will be asked to set a passphrase for the key. If you trust the environment where the key is stored, you can leave it empty by pressing Enter. Alternatively, you can set a passphrase to add an extra layer of security.
Enter passphrase for "/home/name/Desktop/key" (empty for no passphrase):4. Once complete, the keys will be saved in the specified location:
Your identification has been saved in /home/name/Desktop/key
Your public key has been saved in /home/name/Desktop/key.pub
The key fingerprint is:
SHA256:I60X50p2/VwZ6MHhEqx8rWNse0pC5/vewW1i4tLufQ8 name@pc
The key's randomart image is:
+--[ED25519 256]--+
| |
| . |
| o . |
| .. . = o |
| . S+.+ * . |
| o.==.+ o +|
| . +.oXo.E++|
| + o*.=B.=o|
| . BOo+oo|
+----[SHA256]-----+Do not worry about the randomart as it has no functional purpose.
5. You now have two files:
- key – This is your private key (keep this secure and never share it).
- key.pub – This is your public key (place this on the server).
The private key should stay on the machine you will use to access the server.
Securing the Server with Key Authentication
1. Log in to the server you want to protect with key authentication.
2. Open the SSH configuration file:
sudo nano /etc/ssh/sshd_config3. Modify the following lines:
#PermitRootLogin prohibit-password
#PasswordAuthentication yesto:
PermitRootLogin no
PasswordAuthentication noThis prevents root login over SSH, disables password login and forces key-based authentication.
4. Save and exit the file.
5. Go to the home directory of the user you wish to secure with key authentication. Create the .ssh directory (if it doesn't exist), then create the authorized_keys file inside it:
mkdir -p ~/.ssh
nano ~/.ssh/authorized_keysPaste the entire contents of the `.pub` file into this document and save it.
6. Restart the SSH service. Use the appropriate command for your system:
sudo systemctl restart sshd # For systems using systemd
sudo service ssh restart # For older systems or systems using openrcDO NOT LOG OUT UNTIL YOU CONFRIM THE CONFIGURATION IS CORRECT TO AVOID BEING LOCKED OUT.
7. Open another terminal window on the machine you will use to SSH into the server and test the connection:
ssh <user>@<address> -i /location/to/private/key/fileIf you can log in without a password, the key authentication system is correctly configured!