SSH Security: Protecting Your Linux Server from Threats

hydn · March 27, 2023, 11:23am

Read the full article: SSH Security: Protecting Your Linux Server from Threats

SSH (Secure Shell) is our best friend when it comes to remote command line access to our servers. SSH (Secure Shell) is an essential tool for remote command-line access to servers. But to truly secure SSH you need to limit access to specific IP’s and follow a few other best practices. Leaving SSH open to… continue reading.

vintka · March 31, 2023, 11:58am

Great article, thanks! I would also add “port knocking” way here.

hydn · March 31, 2023, 6:33pm

Thanks again, @vintka, for the great suggestion! Welcome to the forums

Let me add that info here in the article discussion as it is indeed via your suggestion.

Port knocking is a security technique used to protect servers from unauthorized access. It involves opening ports on demand by “knocking” on a predefined sequence of ports in a specific order.

Here’s how to set up port knocking on Ubuntu:

Install the Knockd daemon:
sudo apt update && sudo apt install knockd
Configure Knockd: Edit the Knockd configuration file:
sudo vi /etc/knockd.conf

Define the port sequences and commands to execute. For example:

[options]
UseSyslog

[openSSH]
sequence    = 1000,2000,3000
seq_timeout = 5
command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport xxxx -j ACCEPT
tcpflags    = syn

[closeSSH]
sequence    = 3000,2000,1000
seq_timeout = 5
command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport xxxx -j ACCEPT
tcpflags    = syn

In this example:

openSSH: Opens the SSH port (replace xxxx with your SSH port) when the sequence 1000,2000,3000 is knocked.
closeSSH: Closes the SSH port when the reverse sequence 3000,2000,1000 is knocked.

Start the Knockd daemon:
sudo systemctl enable knockd sudo systemctl start knockd

That’s it! Be sure to test your configuration thoroughly before deploying it in a production environment.

ricky89 · January 2, 2025, 4:58pm

One of best ideas instead blacklisting or whitelisting some users or ip address is using a strong password for your user profile so it’s difficult to crack it and connect trough SSH.

hydn · January 2, 2025, 5:11pm

Yes. Only if using keys isn’t an option. But even then, with strong passwords those attempting brute force should be blocked. I like using the honeypot project and also blocks by country using MaxMind.

toadie · January 3, 2025, 10:24pm

Bookmarked! Great article, well explained

theslop · January 6, 2025, 5:40pm

One think I have tried is to test the ssh config using an external tool and in some cases it has shared that there are crypto algorithms that are not advised still in place …

SSH Configuration Auditor

I found it useful - I didn’t test on a production server, just a crash and burn box and then took the learnings to other more sensitive set ups … YMMV

Reviewing your logs is the most important thing - it is an eye opener and makes you realise why all the other changes are v important

ricky89 · January 6, 2025, 8:09pm

Yes but, in a LAN ecosystem there never should be a brute force attack, I think it’s not a good practice open port 22 to internet.
If you want to connect in ssh to your lab terminal I think it’s better install a VPN and then access trough LAN.
Am I right? What am I missing?