Ways to make SSH more secure
SSH was designed as a replacement for Telnet and for unsecured remote shell protocols. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. I concluded some ways to make SSH more secure as below.
1.Create a non-root user
adduser yourusername
su yourusername
2.Create SSH keys
Create key pairs and set a password that will not be guessed easily.
mkdir ~/.ssh
chmod 700 ~/.ssh
cd ~/.ssh
ssh-keygen -C yourmail@yourdomain.com
Back up the key files id_rsa
and id_rsa.pub
, and copy the public key for SSH authentication
cat id_rsa.pub > authorized_keys
Change the permission
chmod 600 ~/.ssh/authorized_keys
3.SSH configuration
Change SSH port from 22 to 8022(change it as you like). Disable root login and enable key authentication.
vi /etc/ssh/sshd_config
Port 8022
PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
PermitEmptyPasswords no
PasswordAuthentication no
ChallengeResponseAuthentication no
Restart SSH service and reconnect your server with key authentication(you need to import your private key to your SSH client).
service ssh restart
4.Firewall
Set firewall rules and allow SSH only.
The port must be the same as the port of SSH you configured above or you will not be able to login.
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 8022 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
Save rules
iptables-save > /etc/iptables
Try to connect SSH with password, you will find out failed to authenticate. Now you can access SSH with private key only, so keep your private key safe and don't forget to back up it. If your private is revealed, you must regenerate SSH keys and change your authorized keys immediately.