Linux 116: Configuring SSH for Secure Remote Access

byAhmed Kira -
0

Linux 116: Configuring SSH for Secure Remote Access

Secure Shell (SSH) is the standard method for securely accessing and managing remote Linux servers. Whether you’re administering a personal server or managing cloud infrastructure, configuring SSH properly is essential for security and productivity.

1. What is SSH?

SSH (Secure Shell) is a cryptographic network protocol for operating network services securely over an unsecured network. The most common use is remote login to a Linux server.

  • Default port: 22
  • Protocol version: SSH-2 (most secure and widely used)

2. Installing the OpenSSH Server

Debian/Ubuntu


sudo apt update
sudo apt install openssh-server

RHEL/CentOS/Fedora


sudo dnf install openssh-server

Start and enable the SSH service:


sudo systemctl start ssh
sudo systemctl enable ssh

3. Basic SSH Usage

Connect to a remote server:


ssh username@server_ip

Optional port usage:


ssh -p 2222 username@server_ip

4. Securing SSH Access

Change the Default Port

Edit the config file:


sudo nano /etc/ssh/sshd_config

Update:


Port 2222

Restart the service:


sudo systemctl restart sshd

Disable Root Login

In the same file (sshd_config), set:


PermitRootLogin no

Limit Users

Restrict SSH access to specific users:


AllowUsers user1 user2

5. Using SSH Key Authentication

Generate SSH Keys (on local machine)


ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Copy Key to Server


ssh-copy-id username@server_ip

Now you can connect without a password:


ssh username@server_ip

Disable Password Authentication (server)

Edit sshd_config:


PasswordAuthentication no

Restart SSH:


sudo systemctl restart sshd

6. Enabling SSH Firewall Rules

Allow SSH with UFW:


sudo ufw allow 22/tcp        # Or 2222 if you changed the port
sudo ufw reload

7. Useful SSH Features

SSH Tunneling

Forward a local port to a remote server:


ssh -L 8080:localhost:80 user@server

SSH Agent Forwarding

Use your local SSH key to authenticate with services on the remote server:


ssh -A user@server

8. Monitoring SSH Login Attempts

Use journalctl:


sudo journalctl -u ssh

Or analyze /var/log/auth.log or /var/log/secure depending on your distro:


sudo tail -f /var/log/auth.log

9. Fail2ban for SSH Brute Force Protection

Install Fail2ban:


sudo apt install fail2ban       # Debian/Ubuntu
sudo dnf install fail2ban       # RHEL/Fedora

Enable and start:


sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Basic protection for SSH is enabled by default.

10. Conclusion

Proper SSH configuration is essential to secure remote access. By hardening SSH with non-default ports, key authentication, and login restrictions, you significantly reduce the attack surface of your Linux server.

Next Steps:

  • Set up 2FA (two-factor authentication) for SSH
  • Explore using tools like Mosh for mobile-friendly SSH sessions
  • Learn about ProxyJump and SSH config for multi-hop access

Up next: Linux 117: Automating with Ansible for Configuration Management

Post a Comment (0)
Previous Post Next Post

ads