How to Secure SSH on CentOS 8 and 7
SSH (also referred to as Secure Shell) is a protocol for remote login to a system securely. SSH provides several alternative options for strong authentication, and it protects the communications from both ends with strong encryptions. SSH is a secure alternative to non-protected protocols such as telnet or rlogin, and it also can provide file transfer services more securely than other common protocols.
In this article, we are not going to talk about obvious things such as “choosing strong passwords” etc. the more technical security hardening methods is the point of this tutorial.
1.Configure Idle Timeout interval
To avoid unattended SSH sessions you need to reduce the “ClientAliveInterval” value, open the configuration file with your favorite text editor, we are going to use “vi”:
vi /etc/ssh/sshd_configuncomment the line that refers to:
ClientAliveIntervalThen change its value to something around “360” which means that after 6 minutes the idle session will be logged out automatically.
2.Create a separate user for SSH logins
For adding a new layer of security to our SSH service we need to create a separate user for SSH logins and then we can Disable direct root login. for that execute the following command to create a user:
adduser usernamechoose a strong password:
passwd username3.Disable Root logins
One of the most dangerous things that can compromise your device is to allow direct logging into your “root” user through SSH. by doing this you make any attacker able to attempt brute force on your root password and hypothetically gain full access to your system and as you might know, a root user can do a lot more damage than a regular user.
what you need to do to avoid this is to open the SSH configuration file with a text editor:
vi /etc/ssh/sshd_configand change the “PermitRootLogin” value to “no”.
4.Disable Empty Passwords
You need to prevent remote logins to your server through users with empty passwords so open the configuration file:
vi /etc/ssh/sshd_configUncomment the “PermitEmptyPasswords” and change its value to “no”
5.Force SSH Protocol 2
SSH has two protocols, Protocol 1 is older and less secure, so you can disable it to force your SSH service to work with protocol 2:
vi /etc/ssh/sshd_configFind the following line:
#Protocol 2, 1Change it like below:
Protocol 26.Change SSH Port
One of the main benefits of changing the SSH port is avoiding to discover by casual scans, most attackers attempt looking for open SSH ports on standard port 22, You can use another open port as long as it’s not being used by another program or service, we recommend something like “11122” or “2025” but you can use anything you want:
vi /etc/ssh/sshd_configFind the “Port” section and change its value to your preferred number like below:
Port 20257.Use Public/Private Keys for authentication
Using Key authentication is certainly much more secure than using password authentication, The Private key is stored on the computer that you want to login from, and the Public key is stored on the “.ssh/authorized_keys” file on the computer that you want to login to.
Using key authentication is very useful as you don’t need to enter a password anymore, once you configure the key authentication you can completely disable password logins.
Do the following steps on the system you want to login from
start by generating your Public and Private key with the following command:
ssh-keygen -t rsaExecuting the above command will prompt you to enter a password which will be used to unlock a given public key each time you connect, it’s your choice if you don’t want to be prompted for a password each time you log in you can simply hit enter.
This will create two files in your “~/.ssh” directory called “id_rsa” and “id_rsa.pub”
as you might guess the “id_rsa” file is your private key and the other one is your public key.
Now you need to copy the contents of your “id_rsa.pub” to your servers “authorized_keys” file:
vi ~/.ssh/id_rsa.pubPaste the contents in:
vi ~/.ssh/authorized_keysNow open the SSH configuration file:
vi /etc/ssh/sshd_configuncomment the following lines and change the values like below if needed:
PasswordAuthentication noPubkeyAuthentication yesSave and exit, and then restart the SSH service to take effect:
systemctl restart sshdHere you go that was our top 7 points to have more secure SSH sessions on your machines, you can comment your questions for us and we will get back to you as soon as possible.