SSH Security and Server Access Controls

SSH (Secure Shell) is the most commonly used protocol for secure remote server access. However, poorly configured SSH access can lead to critical security vulnerabilities.

In this guide, we’ll look at how to enhance SSH security and make server access more secure.

1️⃣ Why SSH Security Matters

📌 Common types of SSH attacks:

• Brute Force Attacks
• Man-in-the-Middle Attacks
• Unauthorized Access Attempts
• Exploits via Vulnerabilities

📌 If SSH is not secured:

• Unauthorized access to your server is possible.
• Data can be stolen or tampered with.
• The server could be used in DDoS attacks.

That’s why securing SSH access is absolutely critical!

2️⃣ Best Practices for SSH Security

1. Change the Default SSH Port

📌 Why?

• Attackers often target the default port 22.
• Changing the port can prevent many automated attacks.

📌 How?

sudo nano /etc/ssh/sshd_config

🔹 Find and update the following line:

Port 2222  # Choose a different port instead of 22

🔹 Restart the SSH service:

sudo systemctl restart sshd

⚠️ Note: Make sure the new port is allowed by your firewall:

sudo ufw allow 2222/tcp

2. Use SSH Key Authentication

📌 Why?

• Password authentication is vulnerable to brute-force attacks.
• SSH keys offer stronger and more secure authentication. 🔑

📌 Generate SSH Key:

ssh-keygen -t rsa -b 4096

🔹 Recommendation: Use RSA 4096-bit or Ed25519.

📌 Copy Key to Server:

ssh-copy-id -i ~/.ssh/id_rsa.pub user@server_ip

🔹 Alternative:

cat ~/.ssh/id_rsa.pub | ssh user@server_ip 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'

📌 Disable Password Login on Server:

sudo nano /etc/ssh/sshd_config

🔹 Find and set:

PasswordAuthentication no

🔹 Restart SSH:

sudo systemctl restart sshd

🚀 Now only SSH keys can be used for login!

3. Use Fail2Ban to Prevent Brute Force

📌 Fail2Ban detects failed login attempts and temporarily bans attacker IPs.

📌 Install Fail2Ban:

sudo apt install fail2ban -y

📌 Configure for SSH:

sudo nano /etc/fail2ban/jail.local

🔹 Add the following:

[sshd]
enabled = true
maxretry = 5
bantime = 3600
findtime = 600

🔹 Restart Fail2Ban:

sudo systemctl restart fail2ban

Now, IPs that fail 5 login attempts will be blocked for 1 hour!

4. Set Automatic Timeout for Inactive Sessions

📌 Improve security by closing idle SSH sessions automatically.

🔹 Configure timeout:

sudo nano /etc/ssh/sshd_config

🔹 Add these lines:

ClientAliveInterval 300
ClientAliveCountMax 2

🔹 Restart SSH:

sudo systemctl restart sshd

🔹 Now, sessions idle for 10 minutes will automatically close.

Summary

To secure SSH access:

• ✔ Change the default SSH port.
• ✔ Use key-based authentication.
• ✔ Disable password login.
• ✔ Use Fail2Ban to block brute-force attacks.
• ✔ Set timeouts to disconnect idle sessions.

By applying these measures, you can make your SSH connections stronger and more secure!