Secure SSH: Best Practices & Certificates

G5 Cyber Security

1 month ago

TL;DR

SSH is a powerful tool, but needs securing. Disable password authentication, use strong keys, limit user access, and consider certificate-based authentication for improved security and manageability. A certificate-based VPN server can be an excellent solution if you need to control access to multiple servers or internal resources.

Securing SSH Access: Step-by-Step Guide

Disable Password Authentication

The biggest security risk with SSH is often weak passwords. Disable password authentication entirely and rely on key-based authentication instead.

Edit the SSH configuration file:
```
sudo nano /etc/ssh/sshd_config
```
Find the line PasswordAuthentication yes and change it to PasswordAuthentication no.
Restart the SSH service:
```
sudo systemctl restart sshd
```

Generate Strong SSH Keys

Use a strong passphrase when generating your keys.

On your local machine, generate an SSH key pair:
```
ssh-keygen -t rsa -b 4096
```
(Consider using ed25519 instead of RSA for better security:
```
ssh-keygen -t ed25519
```
)
Copy the public key to the server. The easiest way is often:
```
ssh-copy-id user@server_ip
```

Limit User Access

Don’t allow root login directly via SSH.

Edit the SSH configuration file:
```
sudo nano /etc/ssh/sshd_config
```
Find the line PermitRootLogin yes and change it to PermitRootLogin no.
Consider using AllowUsers user1 user2 to explicitly specify which users are allowed to connect via SSH.
Restart the SSH service:
```
sudo systemctl restart sshd
```

Change the Default SSH Port

Changing the default port (22) can deter automated attacks.

Edit the SSH configuration file:
```
sudo nano /etc/ssh/sshd_config
```
Find the line Port 22 and change it to a different port number (e.g., Port 2222). Choose a port above 1024 that isn’t commonly used.
Update your firewall rules to allow traffic on the new port.
Restart the SSH service:
```
sudo systemctl restart sshd
```

Use a Firewall

Configure a firewall (like ufw or iptables) to only allow SSH traffic from trusted IP addresses.

Example using ufw:

sudo ufw allow from 192.168.1.0/24 to any port 22

(or your chosen port)

Keep SSH Software Updated

Regularly update your SSH server software to patch security vulnerabilities.

Use your system’s package manager:
```
sudo apt update && sudo apt upgrade
```
(Debian/Ubuntu) or
```
sudo yum update
```
(CentOS/RHEL)

Certificate-Based Authentication

Certificate-based authentication offers several advantages over key-based authentication:

Centralized Management: Easier to revoke access for multiple servers.
Improved Security: Certificates can be signed by a Certificate Authority (CA), providing stronger trust.
Automation: Easier integration with automation tools and configuration management systems.

Tools like OpenSSH’s ssh-cert functionality or commercial solutions can help you implement certificate-based authentication.

Certificate-Based VPN Server?

Yes, a certificate-based VPN server (e.g., using WireGuard or OpenVPN) is an excellent solution if:

You need to provide secure access to multiple servers behind a firewall.
You want to control access based on user identity (certificates).
You require strong encryption and authentication for remote access.

The VPN server acts as a gateway, requiring clients to present valid certificates before granting access to the internal network.