Tips for securing your SSH server
Whitelisting IP Addresses
A whitelist is a list of IP addresses that are explicitly granted access to the server. A blacklist is a list of address that are explicitly denied access. The TCP Wrappers feature built into many Linux distributions lets you define whitelists and blacklists for services like SSH.
To whitelist specific IP addresses for the sshd
service, open the hosts.allow
file by running the following command in the server terminal:
$ sudo nano /etc/hosts.allow
Then put the IP addresses you want to whitelist in this file, either individually:
sshd: 192.168.2.2
or as a group using CIDR notation:
sshd: 192.168.2.0/24
You can then blacklist all the remaining IP addresses by modifying the hosts.deny
file. Open the hosts.deny
file:
$ sudo nano /etc/hosts.deny
And add following line:
sshd: ALL
If you would prefer to just blacklist specific addresses, enter the specific address or address range in hosts.deny
:
sshd: 192.168.2.2 sshd: 192.168.5.0/24
After changing the hosts.allow
and hosts.deny
files, restart your SSH server by running following command:
$ sudo systemctl restart ssh
Now your SSH server is open to only specific IP addresses.
Blocking Addresses with a Firewall
An SSH server accessible by the public is bound to come under attack. The hosts.deny
file is one way to block access to a specific IP address, but a firewall is another important line of defense.
For this example, I'll use the Uncomplicated Firewall (UFW) tool used to configure firewalls in Ubuntu. UFW comes preinstalled on many Linux distributions, but if your Linux uses a different tool, the concepts are similar. Check the status of UFW by running the following command (Figure 4):
$ sudo ufw status

If UFW is inactive on your server, activate it as follows:
$ sudo ufw enable
Now say you want to block the IP address 192.168.2.2 and a range of IP addresses (192.168.5.0/24) on the SSH server, which is running on port 22 (of course, if you follow the advice given in this article, you'll be using a different port instead of port 22). Use the following command to block a single IP address:
$ sudo ufw deny from 192.168.2.2 port 22
This command will add a rule to block this IP address on port 22. Now check the status of UFW by again running the status
command:
$ sudo ufw status
If UFW is active, the command will display all the rules, as shown in Figure 5.

Now run the following commands to block a range of IP addresses, and then check the UFW status on the SSH server:
$ sudo ufw deny from 192.168.5.0/24 port 22 $ sudo ufw status
These commands block the IP addresses and display all the rules, as shown in Figure 6.

Now your server is secure against attacks from these IP addresses. You can restore access to these addresses by deleting the rules. To delete the second rule from UFW rules (Figure 7):
$ sudo ufw delete 2 $ sudo ufw status

Adding Two-Factor Authentication
One of the best ways to secure your SSH server against hijack is adding two-factor authentication (2FA). In this example, I will use Google Authenticator to add multifactor authentication to the SSH server. Following are the steps to activate 2FA on the SSH server.
First of all, install Google Authenticator on your Android device. You can install Google Authenticator with the following link:
https://play.google.com/store/apps/details id=com.google.android.apps.authenticator2&hl=en
Now log into the SSH server and run the following command in the terminal to install Google Authenticator on the server:
$ sudo apt-get install libpam-google-authenticator
After installing, open Google Authenticator by typing following command:
$ google-authenticator
You will be asked if you want Google Authenticator to generate time-based authentication tokens. If you reply with yes, tokens will expire after a specific time and new tokens will be generated. It is more secure to use time-based authentication tokens.
Answering this question will generate some credentials, including a QR code, a verification code, a secret key, and emergency scratch codes. Now open Google Authenticator on your Android device and scan the QR code generated on the terminal.
If your mobile device does not support QR code scanning, you can use a verification code to get started. Now you will be asked if you want to change the Google Authenticator configuration file. If you want to customize Google Authenticator, select yes (Figure 8).

Once you have Google Authenticator configured and working, the next step is to configure SSH to use Google Authenticator for two-factor authentication. Open the SSH configuration file by typing the following command:
$ sudo nano /etc/ssh/sshd_config
Find the following lines and set them to yes
:
UsePAM yes ChallengeResponseAuthentication yes
After changing the configuration file (Figure 9), restart the SSH server by running following command:
$ sudo systemctl restart ssh

Now whenever you try to login to your SSH server, it will ask for secondary credentials, which will then be generated on your smartphone. You can get access to the server after providing these credentials.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
News
-
Mageia 9 Beta 2 is Ready for Testing
The latest beta of the popular Mageia distribution now includes the latest kernel and plenty of updated applications.
-
KDE Plasma 6 Looks to Bring Basic HDR Support
The KWin piece of KDE Plasma now has HDR support and color management geared for the 6.0 release.
-
Bodhi Linux 7.0 Beta Ready for Testing
The latest iteration of the Bohdi Linux distribution is now available for those who want to experience what's in store and for testing purposes.
-
Changes Coming to Ubuntu PPA Usage
The way you manage Personal Package Archives will be changing with the release of Ubuntu 23.10.
-
AlmaLinux 9.2 Now Available for Download
AlmaLinux has been released and provides a free alternative to upstream Red Hat Enterprise Linux.
-
An Immutable Version of Fedora Is Under Consideration
For anyone who's a fan of using immutable versions of Linux, the Fedora team is currently considering adding a new spin called Fedora Onyx.
-
New Release of Br OS Includes ChatGPT Integration
Br OS 23.04 is now available and is geared specifically toward web content creation.
-
Command-Line Only Peropesis 2.1 Available Now
The latest iteration of Peropesis has been released with plenty of updates and introduces new software development tools.
-
TUXEDO Computers Announces InfinityBook Pro 14
With the new generation of their popular InfinityBook Pro 14, TUXEDO upgrades its ultra-mobile, powerful business laptop with some impressive specs.
-
Linux Kernel 6.3 Release Includes Interesting Features
Although it's not a Long Term Release candidate, Linux 6.3 includes features that will benefit end users.