SSH Security Recommendations for Debian / Ubuntu

Changing SSH Default Port

The default port for SSH is port 22. This can easily be changed by modifying the /etc/ssh/sshd_config file.

vi /etc/ssh/sshd_config

Change the section that says “Port 22” to your new chosen port number. The new port number does not really matter as long as it is not in use by another program, or application. I am using port 10022 in this example.

# What ports, IPs and protocols we listen for
#Port 22
Port 10022

IMPORTANT: Don’t forget to open the port in your firewall for a tcp connection to your new chosen SSH port number. You should also close port 22 since it will not be used anymore.

Disable SSH Root Logins

Disabling root logins to SSH is a great way to improve your server(s) security.

vi /etc/ssh/sshd_config

Change the “PermitRootLogin” setting to no.

#PermitRootLogin yes
PermitRootLogin no

Restart the SSH daemon.

service ssh restart

IMPORTANT: Make sure you have at least one non “root” user.

Adding a new user is accomplished by using the adduser command followed by the new username.

root@server:/# adduser sampleuser
Adding user `sampleuser' ...
Adding new group `sampleuser' (1001) ...
Adding new user `sampleuser' (1001) with group `sampleuser' ...
Creating home directory `/home/sampleuser' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for sampleuser
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] Y
root@server:/#

IMPORTANT: Do not use the same password as the root user. That will completely defeat the whole point of disabling root logins.

You can change to the root user once logged in by using the “su root” command followed by the root password.

su root

Install Fail2Ban

Fail2Ban monitors your log file(s) for certain patterns that are specified in a filter.

apt-get update && apt-get upgrade
apt-get install fail2ban

By default fail2ban monitors failed logins on port 22. Since we changed what port the SSH daemon listens on, fail2ban needs to know this as well. Create a new file called jail.local in the /etc/fail2ban/ directory.

vi /etc/fail2ban/jail.local

Add the SSH jail and change the “port =” line to your new SSH port number.

[ssh]
enabled  = true
port     = 10022
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3

SSH Security Recommendations for Debian / Ubuntu

Changing SSH Default Port

Disable SSH Root Logins

Install Fail2Ban

1 Comment

Submit a Comment Cancel reply

Pin It on Pinterest