Skip links

10 Best Practices and Commands to Secure Remote Access with SSH

10 Best Practices and Commands to Secure Remote Access with SSH

Secure Shell (SSH) is a widely-used protocol for secure remote access to servers and other networked devices. Whether you’re managing a web server, a cloud-based virtual machine, or just connecting to your home computer remotely, SSH is an essential tool. However, with great power comes great responsibility, as improper SSH configuration can open the door to potential security vulnerabilities. In this article, we will delve into best practices for securing remote access with SSH, including the necessary commands to implement them.

1. Update SSH Software #

Keeping your SSH software up-to-date is crucial for security. Vulnerabilities are regularly discovered and patched in SSH implementations. To update SSH, use the following commands:

sudo apt update
sudo apt upgrade

For systems using different package managers, the commands may vary, but the principle remains the same: regularly update your SSH software.

2. Disable Root Login #

Allowing root login over SSH is a significant security risk. It’s best to disable it and use a regular user account with sudo privileges. Edit the SSH configuration file using:

sudo nano /etc/ssh/sshd_config

Set PermitRootLogin to no and save the file.

PermitRootLogin no

Restart the SSH service:

sudo systemctl restart sshd

3. SSH Keys #

SSH keys provide a secure and convenient way to authenticate. To generate an SSH key pair, run:

ssh-keygen -t rsa -b 4096

Copy the public key to the remote server using:

ssh-copy-id username@remote_server

4. Use Strong Passwords #

If you must use passwords for authentication, ensure they are complex and unique. Avoid using easily guessable passwords. Regularly update passwords and use a password manager to store them securely.

5. Set Password Expiry #

To enforce password expiry, configure the /etc/login.defs file:

sudo nano /etc/login.defs

Set PASS_MAX_DAYS to the desired password expiration time (e.g., 90 days):


6. Limit SSH Access #

Restrict SSH access to specific IP addresses or networks using the AllowUsers or AllowGroups directives in /etc/ssh/sshd_config. For example:

AllowUsers username@trusted_ip

7. Change Default SSH Port #

Changing the default SSH port from 22 to a non-standard port adds an extra layer of security by reducing automated scans. Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Change the Port directive to your desired port (e.g., 2222):

Port 2222

Restart the SSH service:

sudo systemctl restart sshd

8. Enable Two-Factor Authentication (2FA) #

Implementing 2FA adds an extra layer of security. Tools like Google Authenticator or Duo Security can be used in conjunction with SSH. Instructions for enabling 2FA can vary depending on the chosen solution.

9. Implement Fail2Ban #

Fail2Ban is a tool that monitors log files and bans IP addresses that show malicious signs. To install and configure Fail2Ban:

sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Fail2Ban will protect your SSH server by blocking IPs that repeatedly fail authentication.

10. Regularly Audit User Accounts #

Periodically audit your user accounts to ensure that only authorized users have access. Remove any unnecessary accounts and adjust permissions as needed.

sudo nano /etc/passwd

Review and update user accounts as necessary.

In conclusion, securing remote access with SSH is crucial to maintaining the integrity and security of your systems. By following these best practices and using the corresponding commands, you can significantly reduce the risk of unauthorized access and potential security breaches. Always stay vigilant and keep your SSH configurations up-to-date to adapt to evolving threats in the ever-changing world of cybersecurity.