SSH is nothing else than a software, it has options and configuration files.
The default options are simple, but may not be the most secure options, let's see what we can improve.
As you saw, when we connect to the server, the default user is root.
It has multiple problems:
rootis a super-user user with access to all the files- we never want to use it as it is easy to mess things up
- if someone malicious has a access to the user, he could do litteraly anything to the server
The first step towards adding more layers of security is to create a custom user.
adduser <new-user>🃏 Hints
- a not-so-common username is recommended so it significantly harden the chance for an attacker to find it
Your new user is created, but we sometimes still need to run commands with sudo. For that, we need to add this new user to the sudo group.
usermod -aG sudo <new-user>Let's connect to the newly created user:
su - <new-user>Test that you are part of sudo:
sudo whoami
# or sudo apt updateAlternatively, you could log out (ctrl-D), and use:
ssh <new-user>@<host>Don't forget to add your SSH key to this user (cf SSH Connection).
ssh-copy-id -i <path-of-the-ssh-key> <new-user>@<host>Remember we used to connect via SSH to the server with the root user? Let's imagine someone manages to get the password for this user, this someone could do anything to your server: install new packages, remove or steal files, etc.
We want to confine users to the minimum amount of rights possible for better security in case of something going wrong.
SSH gives us options to secure our servers and prevent this kind of nasty things to happen. To open the configuration file of SSH, you can use the following command
sudo nano /etc/ssh/sshd_configℹ️ information
sudois a command to execute a program with super-user rights. It is required to edit, execute, and sometimes just access some files in some directories of your server.nanois a minimalistic text editor
- in the file, set
PermitRootLogintono, save and exit (ctrl+x). - restart the ssh daemon:
systemctl restart sshIf you log out (ctrl+d), you should not able tossh root@<host>anymore.
⚠️ warning
- it can be extremely easy to lock yourself out of your server with SSH configuration, be careful (e.g, if you disable root login without setting up another user)
As saw earlier, password authentication, is rather a bad idea for critical services. We should also disable logins with passwords.
In the same file, you can set PasswordAuthentication to no.
# Allow SSH key connection (default is yes)
PubkeyAuthentication yes
# disable password for "root", but allow SSH keys (not adviced)
PermitRootLogin prohibit-password
# Disable login for users with empty passwords
PermitEmptyPasswords no
# Force permissions checks on keyfiles and directories
StrictModes yes
📖 Resources
Sometimes, it can be convenient for beginners to use a GUI rather than a terminal to access files on a server.
You can use Filezilla to connect to any server supporting SSH to navigate server files and directories.
It can be useful to ban IPs failing to connect to your server after several wrong attempts (bots try a lot to connect to root or admin with common/unsecure passwords).
fail2ban does exactly this.
We now have a secure way to connect to a server, but a couple of things may still be insecure, let's see how we can configure a firewall on a server with Uncomplicated Firewall: UFW.