How To Secure SSH Access on Ubuntu Servers (Video Tutorial)

SSH (Secure Shell) is a powerful tool for managing servers remotely, but it can be vulnerable to attacks without proper security measures. Follow these 10 steps to secure SSH access on Ubuntu servers.

Grant Knoetze, Contributor

October 2, 2024

11 Min View
ITPro Today

In this video, you will learn how to secure SSH (Secure Shell) access on an Ubuntu server, a critical task for protecting your server from unauthorized access. 

IT expert Grant Knoetze will walk you through the important steps, such as disabling root login, changing the default SSH port, setting up SSH key authentication, and using tools like Fail2Ban to protect against brute-force attacks. You will also learn how to configure your firewall (UFW) to limit access to trusted IP addresses.

By the end of the tutorial, you will have a secure SSH setup, ensuring your server remains safe from potential threats. 

The following transcript has been edited for length and clarity.

Subscribe to ITPro Today’s YouTube channel for Linux tutorials and more.

Transcript:

Grant Knoetze: Hello, and welcome to this lesson on securing Secure Shell, or SSH, access for your Ubuntu Server

SSH is a powerful tool that allows you to manage remote servers securely. However, if misconfigured, it can be vulnerable to attacks. Today, I will walk you through the essential steps to securing SSH access on your Ubuntu server and protecting your server from unauthorized access.

Step 1: Update Ubuntu Server

Before we begin, always ensure your Ubuntu server is up to date. This step will ensure that you have the latest security patches. 

Related:Enhance Linux Kernel Security Using Lockdown Mode and Kernel Self-Protection

How can we update and upgrade the server? So, apt is the package manager in Debian-based distributions. I can type in:

sudo apt update && sudo apt upgrade -y

I hit Enter, and it is going to work.

Step 2: Back up SSH Configuration

Now that we have successfully updated and upgraded our Ubuntu server, we will make sure we back up our SSH configuration file before we make any changes:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

This way, you can quickly restore the SSH configuration file if something goes wrong. 

Step 3: Disable Root Login

One thing you should always do is disable root login over SSH. This step prevents attackers from trying to brute-force their way into your Ubuntu server using the root account

Open the SSH configuration file using the following command: 

sudo nano /etc/ssh/sshd_config

I like to use the Nano editor. You can use any text or code editor that you prefer. 

Hit Enter, and we can see that we opened our SSH configuration file. We must find the line that says “PermitRootLogin” and set it to “no.” We can see that a lot has been commented out (using #). If something is commented out, the program will ignore it when it runs. If it is uncommented, it’s going to be looked at. 

For PermitRouteLogin, we can just put the “no” flag:

PermitRootLogin no

I hit Ctrl+O to save and then Ctr+X to exit Nano. 

Related:Linux Security in the Cloud Era: Best Practices for Protecting Your Cloud Workloads

Step 4: Change the Default SSH Port

Moving forward, what we can do now after having done that is change the default SSH port. By default, SSH uses Port 22, which is widely known and often targeted by attackers. A simple but effective measure is to change the SSH port to something nonstandard. 

To do this, we can use the same command. I am using Nano to open my SSH configuration file. Then what I can do is where it says, “Port 22,” we can change this to something else nonstandard. So, I will change it to “Port 2200.” I am going to save and exit. 

Step 5: Restart the SSH Service

After initiating these changes, we must restart the SSH service. You can use systemctl or service. Both are suitable for this. I am going to use systemctl and type in: 

sudo systemctl restart ssh

I can see that it restarted. I can get the status on SSH by typing: 

sudo systemctl status  

We can see that the status is active. 

Step 6: Update Firewall Rules

Remember to allow the new ports in your firewall. I will allow port 2200 and disable port 22. You can easily use the uncomplicated firewall (UFW). We went through the uncomplicated firewall in our previous video. From the command line, you type in: 

sudo ufw allow 2200/tcp 

There is an existing rule, so it skipped adding it. If it needed to add the rule, it would have added it. 

We can go ahead and delete any TCP traffic over port 22: 

Related:How To Implement Zero-Trust Security in Linux Environments

sudo ufw allow 22/tcp 

I hit Enter. I can see that there is a nonexistent rule because I have already deleted it. I have already disallowed TCP traffic over port 22. If you have not, it will do it for you. 

Let's enable the firewall and limit access. Speaking of firewalls, let's ensure the firewall is enabled and properly configured. If UFW is not installed, you can install it with:

sudo apt install ufw

You can then enable UFW with the following command: 

sudo ufw enable 

It will tell us that the firewall is active and enabled on system startup. 

Step 7: Limit SSH Access to Specific IPs

Limit SSH access to specific IP addresses, especially if you have a fixed IP. This way, only known or trusted IPs can connect via SSH. So, we do this with UFW, the uncomplicated firewall. I type in the following command and give my IP address: 

sudo ufw allow from 192.168.41.1.1 to any port 2200

I hit Enter, and it tells me the rule has been added. 

Step 8: Enable SSH Key Authentication

Let's talk a little bit more about SSH key authentication. It is a good idea to enhance security by using SSH key authentication instead of a password. Doing so makes it nearly impossible for an attacker to brute-force your Ubuntu server. I type in: 

sudo ssh-keygen -t rsa -b 4096

I hit Enter. It generates a public/private RSA key pair. For purposes of this demonstration, I am going to save it in /home. There is a folder called /ssh_key_pairs. Our key pair has been saved. You can now set it up on your server. You can copy this anywhere that you like using the copy command

Step 9: Disable Password Authentication

After setting up SSH key authentication, you can test it by trying to log into your Ubuntu server. If successful, you can disable password authentication altogether for better security. 

To disable password authentication, we can open our configuration file in Nano, as before. We can search for “#PasswordAuthentication.” We can uncomment it. Then we can add the no field to it at the end: 

PasswordAuthentication no 

I press Ctrl+O to write and Ctrl+X to exit. Now password authentication has been disabled. 

Once again, we need to restart the SSH service. We use systemctl as we did before: 

sudo systemctl restart ssh 

Those changes have now taken effect. 

Step 10: Install Fail2Ban

Finally, let's install Fail2Ban. Fail2Ban is a tool that automatically bans IP addresses after multiple failed login attempts and helps to defend against brute-force attacks. 

It is very simple. From the command line, you type in: 

sudo apt install fail2ban 

I have it already installed, so it is just going to upgrade it if it needs to. It didn't need to upgrade it, but it will install it if you don't have it. 

Once installed, it works out of the box to protect SSH. You can adjust its settings by editing the configuration file. The configuration file is found in /etc.

Let's change the directory to /etc, enter ls, and change the directory (cd) to /fail2ban. Inside /fail2ban, we can ls and see that jail.conf is there. We can use sudo nano to open jail.conf if we want to edit the settings for Fail2Ban. 

Conclusion

That's it. By following these steps, you significantly improved the security of your SSH access. Always monitor your Ubuntu server for unusual activity and stay updated with the latest security patches. 

Thanks for watching. If you found this helpful, “like” and subscribe for more tutorials. Goodbye for now.

About the Author

Grant Knoetze

Contributor

Grant Knoetze is a cybersecurity analyst with a special interest in DFIR, programming languages, incident response, red-teaming, and malware analysis. His full-time job includes teaching and instructing in various topics from basic Linux all the way through to malware incident response, and other advanced topics. He is also a speaker at various conferences worldwide.

www.grantknoetze.com

https://github.com/Grant-Knoetze

https://www.linkedin.com/in/grant-knoetze-563b0b1b6/

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like