Request a quote
Get a demo

How to secure SSH Server

/ Blog /

How to secure SSH Server – best practices and features

Most commonly known as SSH, Secure Shell enables users or administrators to gain secure access to networks. Allowing admins to modify or control their servers remotely. SSH has several capabilities; it can be used to secure file transfers, establish secure remote connections to devices, users, or networks, and even automate secure connections with many more capabilities.

Some core features of SSH include:

– SSH layers: Comprise of the transport layer, user authentication layer, and the connectin layer. The transport layer handles encryption and decryption of the data that is being exchanged. It also authenticates the server establishing confidentiality. The authentication layer authenticates the client’s identity, and the connection layer manages channels where the data is exchanged.
– SSH Encryption: encrypts all traffic between the client and the server.
– Supports Tunneling and port forwarding: SSH supports local, remote, and dynamic port forwarding.
– X11: SSH enables X11 forwarding, enabling a GUI upon connection.
– SSHD: SSH supports SSH Daemon, which listens for connection and authentication requests and triggers connections.

Despite the additional features and capabilities of SSH, the security still revolves around the configuration of both the server and client-side. As with any weak or poor configuration, it can leave bypassable areas or vulnerabilities that attackers can exploit.

 

Here are three practices to help secure your SSH Server:

1. Change Default Settings – If you are using SSH on day-to-day business operations, you should always change your default settings. Upon creating your SSH server, the default port is 22. Changing the default port creates a challenge for any attacker trying to find the open ssh server port or scanning for known ports looking for any feedback. Additionally, changing your port can also limit brute force attacks. Another default element you would want to change is the root login. This is when you connect to a server via SSH as a root user by default. As most root or superadmins contain full access and control to the system and its resources, if an attacker could exploit your login, they would have total control. A good practice is to disable root login within your SSH config file: “PermitRootLogin” is set to “no.” Once root login is disabled, you can control user access with individual logins, resulting in a more straightforward audit process for tracking users. Another default option worth changing is password-based authentication. Stolen passwords are a significant cause of security breaches. Hence, it is in anyone’s favor to switch from password-based authentication to certificate-based authentication. Read more about certificate-based authentication.

2. Apply Bastion Host – A bastion host provides access to private networks, usually from external ones, designed to withstand and withhold attacks from external networks. It is often put in front of the firewall or the DMZ, equipped with high bandwidth for attacks. Some examples of a bastion host are proxy servers, honeypots, FTP servers, DNS servers, etc. Setting up a bastion host for your SSH connection is a good practice that bolsters your security and helps to protect your server and client channels.

3. Certificate AuthenticationSSH certificates are a great security practice for authentication. They allow for public-key authentication and require certificate validity from each side by a trusted certificate authority. Because of that, they offer more security, and with additional settings such as a short life cycle and additional user information provide more secure authentication compared to passwords or other forms of authentication.

Though each organization differs in its infrastructure, tasks, and compliance requirements, not all practices may be applied. However, we encourage all organizations to follow best security practices and mitigate any poor configuration when securing their infrastructure. At Fudo Security, we encourage best security practices and promote the use of other authentication methods such as Two-factor OATH authentication via Google authenticator, Duo Security, or SSH public key authentication to scale to your infrastructure requirements.

Author: Damian Borkowski– Technical Marketing Specialist

Fudo Security

USA HQ

Fudo Security Inc.
3900 Newpark Mall Rd.
Newark, CA 94560

Phone: +1 (408) 320 0980

Sales contact:
sales@fudosecurity.com

Other questions:
info@fudosecurity.com

Fudo Security Support/Help Center

Fudo Security International HQ

Fudo Security Sp. z o.o.
Al. Jerozolimskie 178
02-486 Warsaw, Poland

Phone: (+48) 22 100 67 00

Products

Fudo Enterprise

Fudo One

Comparison

Pricing

Solution

Secure Remote Access
Modern Privileged Access Management

Company

About us

Careers
Contact

 
Resources

Press releases
Blogs 
Materials
Documentation

Privacy Policy

Fudo Enterprise License Agreement US (EULA)

JOIN OUR COMMUNITY ON DISCORD

All Rights Reserved © Fudo Security

Discord Instagram Linkedin-in Twitter Facebook-f

Sign up to newsletter!