SSH was designed as a replacement for Telnet and for unsecured remote shell protocols. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. I concluded some ways to make SSH more secure as below.
1.Create a non-root user
adduser yourusername su yourusername
2.Create SSH keys
Create key pairs and set a password that will not be guessed easily.
mkdir ~/.ssh chmod 700 ~/.ssh cd ~/.ssh ssh-keygen -C email@example.com
Back up the key files
id_rsa.pub, and copy the public key for SSH authentication
cat id_rsa.pub > authorized_keys
Change the permission
chmod 600 ~/.ssh/authorized_keys
Change SSH port from 22 to 8022(change it as you like). Disable root login and enable key authentication.
Port 8022 PermitRootLogin no RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys PermitEmptyPasswords no PasswordAuthentication no ChallengeResponseAuthentication no
Restart SSH service and reconnect your server with key authentication(you need to import your private key to your SSH client).
service ssh restart
Set firewall rules and allow SSH only.
The port must be the same as the port of SSH you configured above or you will not be able to login.
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 8022 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables-save > /etc/iptables
Try to connect SSH with password, you will find out failed to authenticate. Now you can access SSH with private key only, so keep your private key safe and don't forget to back up it. If your private is revealed, you must regenerate SSH keys and change your authorized keys immediately.