Configure
Build your server
5.0
Rated excellent

Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning

Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning 28 August 2023

The SSH (Secure Shell) network protocol is one of the most common tools for remote connection to a VPS/VDS virtual server. Despite all the advantages of this development, there are a number of difficulties in securing the SSH server.

A common mistake is to use SSH protocols without first configuring them. This usually results in the computer and connected server being hacked.

Any unauthorized user can without much effort disrupt the system operation (for example, using DDoS attacks), if connection via SSH is not secure.

Next, we are going to consider some reliable tips for securing SSH when using a Linux server. This will make working with VDS more efficient.

1. Creating SSH profiles

Creating SSH profiles

We recommend creating a special SSH profile if you are connecting to a Linux server which uses a Unix/Linux operating system. This will make the operating cycle performance much easier.

Programmed SSH configuration file will allow you to virtually connect to the device using only the profile name.

To connect from Linux to Linux

Creating an SSH profile requires the use of the ssh command as:

ssh [USERNAME]@[IP_ADDRESS] -p [PORT_NUMBER]

Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning

The exit command is used to disconnect from the server

Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning

SSH profiles are stored in the "~/.ssh/config" file.

Certain operating systems require you to create a "config" file manually using next command:

touch ~/.ssh/config

To connect to another server, you need to enter SSH profile data into the “~/.ssh/config” file. For example, the vi editor and the corresponding command will help you with this:

vi ~/.ssh/config

Configuration file should look like:

Host [PROFILE_NAME]
Hostname [IP_ADDRESS]
User [USERNAME]
Port [PORT_NUMBER]

Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning

Next command will allow you to access the VPS using just the profile name:

ssh [PROFILE_NAME]

Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning

To connect from Windows to Linux

Creating such a profile in PuTTY is quite similar to creating it for Linux client.

Session data is entered when a remote SSH connection in PuTTY. They are saved in the main section Session → Saved Sessions under a separate name.

Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning

For easy and quick connection to a specific SSH server, you can use this saved profile. You just need to:

  • open a saved session in the Saved Sessions section,
  • enter the password in the opened terminal.

Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning

2. Connection without a password

Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning

You will have an opportunity not to enter a password each time you log in if a public/private key pair (SSH keys) has been created.

To connect from Linux to Linux

SSH connection by key is carried out according to several steps:

  1. At first, you need to generate some SSH keys on the local machine (to set filename, location and passphrase).

    ssh-keygen -t rsa

    Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning

  2. Next step is to copy generated key to remote server. You need to use the command:

    ssh-copy-id [USERNAME]@[IP_ADDRESS] -p [PORTNUM]

    Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning

  3. In the configuration file "~/.ssh/config" you need to add next lines:

    Identitiesonly yes
    Identityfile ~/.ssh/id_rsa

    This is necessary so the connection could be carried out via an SSH profile without entering a password.

After completing all these steps, the system should be logged in without requiring a password. 

To connect from Windows to Linux

Ready-made profiles (SSH keys) are used to quickly and easily connect via SSH without a password to the VPS.

3. Change the SSH port number

To hide the VPS from scanning you can change the port number (default port number 22). Any numbers from 1024 to 65 535 are available.

  • You can replace the SSH port number in "/etc/ssh/sshd_config".

    Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning (Change the default SSH port to 45685)

  • Then you need to restart sshd.service with the command:

    sudo systemctl restart sshd

4. Blocking unused ports

To block unused ports in Linux you need to perform the following steps in the given order:

  1. Open SSH port:

    sudo ufw allow ssh

  2. Block port:

    sudo ufw deny [UNUSED_PORT]

  3. Activate firewall:

    sudo ufw enable

  4. Check firewall status:

    sudo ufw enable

5. Block root access

Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning

To avoid unplanned changes on the server, it is recommended to block root access. This is an efficient method as access for new admin users is limited.

Root access lock requires performing next steps:

  1. Add new admin user (just an example):

    sudo useradd -m admin

  2. Create and set a new password for this user:

    sudo passwd admin

  3. Add the user to a "sudo" list:

    sudo usermod -a -G sudo admin

  4. The PermitRootLogin parameter must be set to "no", for access to be denied.

    Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning

  5. Next, you need to restart the sshd service using the command:

    systemctl restart sshd

6. Blocking ping requests

Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning

The ping service performs several functions:

  • Often used to check if a server is reachable at a specific IP address.
  • Responds to ICMP packets requested from the client.

At the same time, this service can be used by robots to track the IP address of a specific server. This leads to a weakening of the protection of its privacy.

Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning (An example of the output of the ping command)

Algorithm of actions for deactivating ping (executed by a user with root access):

  1. Open the configuration file "/etc/sysctl.conf":

    vi /etc/sysctl.conf

  2. In the configuration file set the value:

    net.ipv4.icmp_echo_ignore_all = 1

  3. Apply ready changes with the command:

    sysctl -p

    Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning

Using the ping command, you can check that the server is not responding to ping requests anymore.

7. Disable X11/TCP port forwarding

This recommendation is useful, as hackers can use this weakness to connect to other network systems. You need to:

  1. Open the domain configuration file and find next two lines:

    AllowTcpForwarding yes
    X11Forwarding yes

  2. Change these lines to:

    AllowTcpForwarding no
    X11Forwarding no

  3. Save and close this file.

8. Make a backup copy of the configuration file

Backing up the configuration file is a common practice to help in case of a mistake while editing the file.

To perform a backup, you need to use the command:

cp /etc/ssh/sshd_config ~/sshd_config_original

9. Performing commands via SSH

SSH allows users to add necessary commands at a moment of connection attempt. After executing the command, the connection is closed.

The basic syntax to help you understand how to execute a command over SSH is:

ssh [USERNAME]@[IP_ADDRESS] "command"

Examples:

  • Extract file from remote system with compression:

    ssh [USERNAME]@[IP_ADDRESS] "tar -czf /projects" > ProjectBackup.tar.gz

  • Check package installation status:

    ssh [USERNAME]@[IP_ADDRESS] "rpm -qa | grep nano"

A pseudo-terminal with the -e command must be used when prompting for a password if you want to improve privileges on the server side of an SSH connection with sudo:

ssh -t [USERNAME]@[IP_ADDRESS] "sudo yum install nano"

10. SSH as a tunnel for other apps

Secure SSH connection to Linux VDS: 13 useful recommendations. SSH meaning

SSH protocol performs several additional functions. One such feature is an encrypted and authenticated connection to remote devices for other applications.

If a graphical user interface (GUI) is required to complete a necessary task, you will need a VNC (Virtual Network Computing) – remote access system. For better privacy protection, you can tunnel the VNC connection over SSH.

For the "VNC over SSH" (HTTP-over-SSH) tunnel to work, you should forward ports using the following command:

ssh -L 5901:localhost:5901 -N -f user01 server01

Using the same method, you can set up an HTTP-over-SSH tunnel to a directory named "images". You need the command:

ssh -L 11000:localhost:80 -N -f -l [USERNAME]@[IP_ADDRESS]

Then launch a web browser and connect to http://localhost:11000/images.

11. Set connection timeout

To manage idle SSH connections in the configuration file, ClientAliveInterval directive is used.

The server directs a message to the user and waits for a response. ClientAliveInterval specifies the amount of time between these messages.

The connection is terminated at the moment when the ClientAliveCountMax directive determines the server's decision that the client is actually no more.

An example configuration that checks the performance every 60 seconds and does this three times:

ClientAliveInterval 60
ClientAliveCountMax 3

12. Limit the number of authorization attempts

Since there are an unlimited number of login attempts on a Linux server, hackers can use this to hack the system using a remote SSH connection.

However, there is a way to avoid this kind of situation. By specifying the number of password attempts allowed, you can set SSH connections to auto-terminate (after all allowed attempts are over).

To complete this task, you need to change the value of "MaxAuthTries" in the configuration file "sshd_config". For example, limit connection attempts to two:

MaxAuthTries 2

13. Limit SSH access to specific IP addresses

Restricting all SSH logins to specific IP addresses can be done using the following algorithm:

  1. Open the "hosts.allow" file with the command:

    sudo vi /etc/hosts.allow

  2. Next, you need to add a line that includes all IP addresses that are allowed to login via SSH:

    sshd: 192.168.1.62, 192.168.1.11, 192.168.1.100 *

    (* just an example, you need to use your IP address).

  3. Save and close the file.
  4. Open the "hosts.deny" file using the command:

    sudo vi /etc/hosts.deny

  5. Add the following line below this file:

    sshd: ALL

  6. Save and close the file.

Conclusion

The implementation of the above methods to protect Linux servers anyway requires certain knowledge in the technical field.

It is also important to remember the need for comprehensive methods, since the use of a limited number of measures is unlikely to solve the problem of information security threats.

In certain cases, it is recommended to contact a specialist, since when working with a VPS, even a minor mistake can, in the worst case, lead to a complete loss of access to the server.