11 responses to “How to Secure SSH Login on Your Linux Server”

  1. Magento Developers

    it works! great tip, thanks for sharing!

  2. mac geek

    hey this is great! one other thing i like to do is to move the sshd service from port 22 to something non standard. this helps to keep the automated bot hacks to a minimun or nil, and provides one more line of defense. : )

    adjust the port at the top of the same sshd_config file, then restart the service.

  3. Simon

    The ssh restart line is incorrect. It is the daemon that needs restarting, so…
    /etc/init.d/sshd restart

  4. hrs

    I would like to recommend to use Two Factor SSH with Google Authenticator (http://digitaljournal.sg/wp/?p=146)
    to tighten up the sshd security

  5. dave

    Thanks for great tutorial.
    To restart sshd do ‘service sshd restart’ works but i am sitting on a RH distro i dont know about ubuntu

  6. driver

    Amazing tip!! Thanks a lot for sharing the step-by-step tutorial 🙂
    (had to use service sshd restart instead)

  7. Jan

    thanks for tutorial – just two questions:
    1) Is it possible to use both at the same time – password and authentication using public key?
    does it suffice to keep this one to yes?
    PasswordAuthentication yes

    2) How to disable a previously added public key? Is all I need to do just this:
    # user: davidrussell
    #ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEApwFQWa9G0FX7M+uSi8ipny0+C14lPFZtdFLj2rT5FNbUcat6BNswFt4Ys97celZ1HiuMGjyAIPDO1B290SSXGOWV/hwhNlMG080yjXbj0BC/5qNim9eDXJHqq0knFbIsHvcOZ9SepVp9q6SuqXuSQ6AXmMed3ZRm2ig7DiqDHVM=

    # – basically simply commenting out one of the keys and doing restart of the ssh server? Or is there any other action required? Thanks!

  8. graham
  9. Shane

    In the testing of your new credentials section. You don’t need to log out nad log in.

    I start a new Putty session and go that way. That means if I have made a mistake I am still logged in via the original putty shell and can hopefully correct it.

    One other tip to add to your awesome step by step.:
    change IP tables to stop brute force attacking:
    after three missed attempts in a minute locks it out for a minute. trusted address is white-listed from this check. change port 22 to the new port you have used.

    iptables -N SSH_WHITELIST

    iptables -A SSH_WHITELIST -s -m recent –remove –name SSH -j ACCEPT

    iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –set \
    –name SSH
    iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j SSH_WHITELIST
    iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –update \
    –seconds 60 –hitcount 4 –rttl –name SSH -j ULOG –ulog-prefix SSH_brute_force
    iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –update \
    –seconds 60 –hitcount 4 –rttl –name SSH -j DROP

    Alternatively fail2ban is meant to do the above but be excellent.