Secure SSH: Best Practices & Certificates

TL;DR

SSH is a powerful tool, but needs securing. Disable password authentication, use strong keys, limit user access, and consider certificate-based authentication for improved security and manageability. A certificate-based VPN server can be an excellent solution if you need to control access to multiple servers or internal resources.

Securing SSH Access: Step-by-Step Guide

1. Disable Password Authentication

The biggest security risk with SSH is often weak passwords. Disable password authentication entirely and rely on key-based authentication instead.

• Edit the SSH configuration file:

  sudo nano /etc/ssh/sshd_config

• Find the line PasswordAuthentication yes and change it to PasswordAuthentication no.
• Restart the SSH service:

  sudo systemctl restart sshd

2. Generate Strong SSH Keys

Use a strong passphrase when generating your keys.

• On your local machine, generate an SSH key pair:

  ssh-keygen -t rsa -b 4096

  (Consider using ed25519 instead of RSA for better security:

  ssh-keygen -t ed25519

  )

• Copy the public key to the server. The easiest way is often:

  ssh-copy-id user@server_ip

3. Limit User Access

Don’t allow root login directly via SSH.

• Edit the SSH configuration file:

  sudo nano /etc/ssh/sshd_config

• Find the line PermitRootLogin yes and change it to PermitRootLogin no.
• Consider using AllowUsers user1 user2 to explicitly specify which users are allowed to connect via SSH.
• Restart the SSH service:

  sudo systemctl restart sshd

4. Change the Default SSH Port

Changing the default port (22) can deter automated attacks.

• Edit the SSH configuration file:

  sudo nano /etc/ssh/sshd_config

• Find the line Port 22 and change it to a different port number (e.g., Port 2222). Choose a port above 1024 that isn’t commonly used.
• Update your firewall rules to allow traffic on the new port.
• Restart the SSH service:

  sudo systemctl restart sshd

5. Use a Firewall

Configure a firewall (like ufw or iptables) to only allow SSH traffic from trusted IP addresses.

• Example using ufw:

  sudo ufw allow from 192.168.1.0/24 to any port 22

  (or your chosen port)

6. Keep SSH Software Updated

Regularly update your SSH server software to patch security vulnerabilities.

• Use your system’s package manager:

  sudo apt update && sudo apt upgrade

  (Debian/Ubuntu) or

  sudo yum update

  (CentOS/RHEL)

Certificate-Based Authentication

Certificate-based authentication offers several advantages over key-based authentication:

• Centralized Management: Easier to revoke access for multiple servers.
• Improved Security: Certificates can be signed by a Certificate Authority (CA), providing stronger trust.
• Automation: Easier integration with automation tools and configuration management systems.

Tools like OpenSSH’s ssh-cert functionality or commercial solutions can help you implement certificate-based authentication.

Certificate-Based VPN Server?

Yes, a certificate-based VPN server (e.g., using WireGuard or OpenVPN) is an excellent solution if:

• You need to provide secure access to multiple servers behind a firewall.
• You want to control access based on user identity (certificates).
• You require strong encryption and authentication for remote access.

The VPN server acts as a gateway, requiring clients to present valid certificates before granting access to the internal network.