Table of Contents Securing SSH Service
Scope of Article
SSH service is widely used in open-source infrastructure setups. Due to its lightweight network footprint and ease of installation, SSH replaces many remote shells in modern data centers. However, although SSH stands for Secure Shell, it can be vulnerable to cyber attacks if administrators fail to configure it properly. This article highlights the security challenges and best practices to secure SSH services effectively.
How SSH Works
Before diving into SSH security hardening, let’s understand how the protocol works. Similar to Telnet, the SSH protocol runs as a daemon service on Linux servers. Clients connect using tools like PuTTY. SSH is cross-platform and widely used in Linux environments. By default, SSH uses TCP port 22 for communication.
Unlike Telnet, SSH uses cryptography for authentication and secure data transfer, ensuring data confidentiality and integrity. The SSH communication process has three main phases:
- Client-server handshake
- Authentication
- Secure data exchange
During the handshake, both parties exchange information about protocol versions, cipher algorithms, and compression methods. For authentication, SSH supports multiple methods:
| Client Authentication Method | Description |
|---|---|
| Public Key Authentication | Client and server exchange key pairs for authentication. |
| Password Authentication | Uses plain-text password for login validation. |
| Host-based Authentication | Restricts access to specific trusted hosts. |
| Keyboard Authentication | Security challenge/response mechanism. |
Important SSH Configuration Files
/etc/ssh/sshd_config– Server configuration file/etc/ssh/ssh_config– Client configuration file/etc/hosts.allow– Hosts allowed to connect/etc/hosts.deny– Hosts denied access/etc/nologin– Blocks all users except root
Securing SSH Service
To harden SSH security, administrators should apply the following best practices:
1. Change Default SSH Port
Protocol 2 Port 88000 PermitRootLogin no AllowUsers prashant rajesh DenyUsers mayur
Changing the default port reduces brute force attempts and disables root logins via password authentication.
2. Restrict SSH Access by IP
ListenAddress 192.168.1.5 sshd : 10.0.0.1
Binding SSH to specific IPs and using TCP Wrappers (hosts.allow & hosts.deny) prevents unauthorized access.
3. Enforce Strong Authentication
PermitEmptyPasswords no PasswordAuthentication no IgnoreRhosts yes Banner /etc/issue LoginGraceTime 60 ClientAliveInterval 240 ClientAliveCountMax 0 MaxAuthTries 4 StrictModes yes
This ensures public/private key authentication and disables insecure authentication methods.
4. Enable Logging & Monitoring
SyslogFacility AUTH LogLevel INFO PrintLastLog yes
Logging provides visibility into SSH activity, helping detect suspicious logins or attacks.
5. Advanced SSH Security Mechanisms
- Implement two-factor authentication
- Use Fail2Ban or DenyHosts against brute force attacks
- Deploy firewalls and IDS/IPS solutions
- Ensure regular OS and SSH patches are applied
Summary
SSH is a powerful remote access tool, but misconfiguration can expose critical vulnerabilities. By applying port changes, IP restrictions, key-based authentication, monitoring, and advanced controls, administrators can ensure strong SSH security.
About the Author
The author has over 22 years of IT security experience in hardware, networking, and cybersecurity. Prashant runs Valency Networks in India, specializing in IT security design, penetration testing, audits, and infrastructure management. Contact: prashant@valencynetworks.com.
