In order to connect to a remote SSH server, users need the following three bits of data:
If you as the server admin is able to obfuscate any of these three items, your server becomes infinitely more secure from brute-force style attacks. Sometimes the attacking IP addresses are from the other side of the planet (which is kind of neat).
If you're currently running a machine that hosts an SSH server, run the following command to see if your machine is being targeted. Here’s an example of what happens to the machine hosting this website roughly every minute.
grep ‘Invalid’ /var/log/auth.log Invalid user iroda from 18.104.22.168 port 36710 Invalid user frank from 22.214.171.124 port 39118 Invalid user egon from 126.96.36.199 port 39456 Invalid user squirrel from 188.8.131.52 port 54674 Invalid user dragos from 184.108.40.206 port 34308 Invalid user miroslav from 220.127.116.11 port 44258 Invalid user admin from 18.104.22.168 port 58604 Invalid user visiteur from 22.214.171.124 port 46436 Invalid user aaaaa from 126.96.36.199 port 58578
Clearly, there are a LOT Of machines attempting to beat down the door and get inside. As you can see, none of them really have a clue as to which username, password, or port to specify, almost every connection attempt is effectively throwing data at a wall and hoping something will stick. Eventually, given enough time, something might. Thankfully, you can have peace of mind by following a few of these simple steps.
Instead of using a password every time you log into your machine remotely, consider using an SSH key instead. This removes the possibility (however incredibly unlikely) that one of these machines might guess your password.
After the key is created on your local machine, copy it to your remote machine.
ssh-copy-id [email protected]_name
Once the server has your home machine’s key, you can remove the ability to log in via a password. Be warned though, if you lose your key on your local machine for whatever reason you won’t be able to get back into your remote server. Instead, you'll need to give the server another key. It's good practice to remove old keys that aren't being used, as keeping the orphaned keys around is a security risk.
By default, SSH communicates using port 22. One of the best ways to secure your connection is to change it. Pick an alternate one to use, but be aware that a lot of ports are already used by other services.
Once you’ve picked one out, edit
/etc/ssh/sshd_config on your remote server and modify the following lines:
Port $your_port PermitRootLogin no MaxAuthTries 3 PubkeyAuthentication yes AllowUsers username PasswordAuthentication no (or yes, if that’s what you want) PermitEmptyPasswords no PrintLastLog yes
Only users specified in the 'AllowUsers' section will be allowed to connect, all others will be automatically denied.
Restart your SSH instance to enact the changes and exit the server.
systemctl restart sshd exit
Now connect to your server with the
-p flag to specify the port.
ssh -p $your_port [email protected]
Your server is now more secure than when it started, but there are a few more things we can do to improve security.
Now that all three connection requirements have been secured, it’s important to be able to ban the IP addresses who are attempting brute force attacks.
apt install fail2ban
Once it's installed, copy the default conf file to a local one.
Edit the newly created local file and remove everything except for the
vim /etc/fail2ban/jail.local [sshd] enabled = true port = ssh maxretry = 3 findtime = 10m bantime = 24h logpath = %(sshd_log)s backend = %(sshd_backend)s
Restart the service and double check that it’s working correctly
systemctl restart fail2ban systemctl status fail2ban
After a few hours, run
grep 'banned' /var/log/fail2ban.log to see the fruits of it's labor.
WARNING [sshd] 188.8.131.52 already banned WARNING [sshd] 184.108.40.206 already banned WARNING [sshd] 220.127.116.11 already banned WARNING [sshd] 18.104.22.168 already banned WARNING [sshd] 22.214.171.124 already banned WARNING [sshd] 126.96.36.199 already banned
ufw is a firewall application for linux. By blocking all other ports except for the ones you are using, you help reduce the vector of attacks from the outside.
apt install ufw enable ufw ufw allow $your_port
check that it’s running correctly
And there you have it! Your server should be a lot more secure now. Remember to periodically check logs and monitor your server to keep it healthy and happy.