Aug 09, 2019 10:20 AM

Configuring SSH on Debian/Ubuntu

In this article I will explain how to configure an SSH server on a Debian/Ubuntu operating system. As soon as you get SSH access to your server (VPS/VDS, dedicated server), various bots will immediately come to you with an attempt to hack your server. Try to make minimal SSH settings right away to protect yourself from bots. So, let's get down to setting up.

This instruction was executed on operating systems: Debian 10, Debian 9, Ubuntu 20.10, Ubuntu 20.04, Ubuntu 19.10.

First server connection

When placing the site on the server, you should be given a dedicated IP address and root password for access via SSH. Let's connect to our server by running the command in the terminal:

ssh root@192.168.0.101

where 192.168.0.101 is the IP address of your server.

When you first connect, you must authenticate the host by entering "yes". Next, you need to enter the superuser password:

First server connection

Now we have full access to the server.

Creating a user with administrator rights

Being in the system as a superuser (root) is not safe, therefore, for security reasons, create a user with administrator rights by running the command in the terminal:

adduser username

where username is the username that will be primary and will replace the superuser (root). Try to come up with a password that is quite complicated.

Add a new user to the sudo group by running the command in the terminal:

usermod -aG sudo username

Close the SSH connection by running the command in the terminal:

exit

Creating a user with administrator rights

Now log in as a new user by running a command in the terminal:

ssh username@192.168.0.101

Logging in as a new user

Disabling root login

For security reasons, let's disable SSH authorization for the superuser (root). All settings changes are made to the /etc/ssh/sshd_config file. We edit the settings file by running the command in the terminal:

sudo nano /etc/ssh/sshd_config

We look for the "PermitRootLogin" parameter in the file and set the value to "no". If the parameter is not found, add the line "PermitRootLogin no" at the end of the file. Save the changes and close the file. To apply the new settings, restart the SSH server by running the command in the terminal:

sudo service ssh restart

Disabling root login

Changes to other parameters will occur in the same way!

Changing SSH port

To minimize hacking attempts on the standard port 22, just change it to a non-standard one, but which is not occupied by other services. The range of values is 1 - 65535. You can check if the port is free in the /etc/services file by running the command in the terminal:

grep -w '22' /etc/services

For example, select port 2222. Open the settings file and look for the "Port" parameter. Set the new port value instead of the standard 22. We save the changes and close the file, restart the SSH server.

Changing SSH port

Do not forget about the firewall if it works. If there are traffic restrictions, just create a rule for the new port.

Now, upon further login to the system via SSH, you must specify a new port by running the command in the terminal:

ssh -p 2222 username@192.168.0.101

Log in using the new port

Allowed users

By default, login is allowed for all usernames. Let's allow access to the server via SSH using the "AllowUsers" parameter only for the listed users (separated by spaces):

AllowUsers username username2

Add this line to the end of the settings file. We save the changes and close the file, restart the SSH server.

Allowed users

Allowed IP addresses

We can restrict access to the server from certain IP addresses or their family. The "AddressFamily" parameter specifies which family of IP addresses to use: any (IPv4 + IPv6), inet (IPv4 only), inet6 (IPv6 only). Let's specify the inet value for access only from IP addresses of version 4:

AddressFamily inet

Add this line to the end of the settings file. We save the changes and close the file, restart the SSH server.

We can also specify for which IP addresses access will be allowed using the parameter "ListenAddress". For example, specify the address 192.168.0.100:

ListenAddress 192.168.0.100

Add this line to the end of the settings file. We save the changes and close the file, restart the SSH server.

Allowed IP addresses

If an error occurred during the restart of the SSH server, try adding the address of the server itself at the end of the settings file:

ListenAddress 192.168.0.101

Enabling public key authentication

It is possible to use encrypted keys for authorization, so that each time you do not enter a password when connecting to the server via SSH. Create private and public keys using ssh-keygen by running the command in the terminal:

ssh-keygen -t rsa -f ~/.ssh/id_rsa_remote_server

After executing this command, two files will be created:

Creating private and public keys

Copy the public key to your remote server by running the command in the terminal:

ssh-copy-id -i ~/.ssh/id_rsa_remote_server -p 2222 username@192.168.0.101

Copying the public key to a remote server

It is also necessary to check whether the public key authentication option is enabled using the "PubkeyAuthentication" parameter, by default this parameter is set to "yes".

Now, upon further login to the system via SSH, we will not be asked for a password.

SSH login without password

Disabling password authentication

Attention! If you cannot ensure the security of your private key, then this item is better to skip! You cannot log in via SSH without a key and without a password.

To disable password authentication, use the "PasswordAuthentication" parameter:

PasswordAuthentication no

Add this line to the end of the settings file. We save the changes and close the file, restart the SSH server.


In this article I presented the basic settings that can significantly minimize hacking your server via SSH. Remember, there is never a 100% guarantee against hacking.

Other articles