In this article, we’ll explain why securing SSH access is important for managing a Linux server and share simple steps to improve your SSH security.
1. Use a Non-Default SSH Port
By default, SSH uses port 22. Because this port is frequently targeted by automated attacks, altering the default SSH port can help lessen the possibility that attackers will locate your server.
Advantages:
- Reduces attack chances: Hackers often target the default SSH port (port 22). Changing it to a different port makes it harder for automated attacks to find your server.
- Additional layer of security: While not foolproof, changing the port adds a simple but effective extra step in making it harder for attackers to locate your server.
To change the SSH port on your server, follow the instructions in this guide: https://wiki.crowncloud.net/?changing_ssh_port
2. Use SSH Key-Based Authentication and Disable Password-Based Authentication
Passwords can easily guessed or cracked via brute force assaults. SSH key-based authentication is significantly more secure since it needs the possession of a private key, which is nearly hard to brute-force.
Advantages:
- Stronger security: SSH keys are much harder to guess than passwords, making them more secure. The key is like a secret code, and only someone with the correct private key can log in.
- No risk of weak or stolen passwords: Using SSH keys eliminates the danger of someone guessing a weak password or using a stolen one.
- Easy management: You can easily control who gets access by adding or removing keys, giving you better control over who can connect.
To get started with SSH key authentication, follow the instructions in this guide: https://wiki.crowncloud.net/?How_to_Generate_and_Use_SSH_Keys_on_Linux
To Disable Password-Based Authentication, follow the instructions in this guide: https://wiki.crowncloud.net/?How_to_Disable_Password_Based_Authentication
3. Restrict SSH Access to static IP address
Restricting SSH access to a static IP address means only allowing SSH connections to your server from a designated IP address, improving security by preventing unauthorized access from other IPs.
Advantages:
- Improved Security: Prevents unauthorized access and attacks (e.g., brute-force or DDoS) by blocking suspicious or malicious IPs.
- Reduced Server Load: Stops unwanted traffic, such as bots or scrapers, from consuming resources, improving server performance.
- Access Control: Enforces security policies by restricting IPs from specific regions or sources, ensuring only trusted users can connect.
To Restrict SSH Access to static IP address follow the instructions in this guide: https://wiki.crowncloud.net/?How_to_Restrict_SSH_Login_to_a_Specific_IP_or_Host
4. Enable Port Knocking
Port Knocking is a technique that restricts access to a server to a specified sequence of “knocks” (connections to specific ports in a predetermined order). This can provide an additional level of security, especially if you want to keep the SSH port locked to the public.
Advantages:
- Hides SSH access: Port Knocking works like a secret knock on a door. The SSH port stays hidden and only opens when a specific sequence of “knocks” (port attempts) is made, keeping your server hidden from attackers.
- Harder to bypass: Hackers must know the exact order of ports to try, which makes it very difficult for them to get access.
- No open ports: The SSH port stays closed to the public unless the correct knock sequence is used, meaning no one can even see that the port is there.
To Secure SSH Service with Port Knocking on Ubuntu/Debian and CentOS, follow the instructions in this guide: https://wiki.crowncloud.net/?How_to_Secure_SSH_Service_with_Port_Knocking5.
5. Install and Configure Fail2Ban
Fail2Ban monitors log files for repeated failed login attempts and automatically blocks the offending IP address for a predetermined duration. It is very good at preventing brute-force assaults against SSH.
Advantages:
- Automatic protection from brute-force attacks: Fail2Ban watches for repeated failed login attempts and automatically blocks the attackers’ IP addresses, stopping them from trying to guess your password.
- Customizable: You can set it to block attackers after a certain number of failed login attempts and decide how long they should be blocked.
- Reduces server load: By stopping attackers early, Fail2Ban helps prevent your server from being overwhelmed with fake login attempts, keeping it running smoothly.
You can find installation instructions in the CrownCloud Wiki Guides, and they are as follows:
6. Creating Sudo Users and Disabling Root Access
One of the most important steps in securing your Linux server is controlling who has access to the root account. The root user can do anything on the system, which makes it a prime target for hackers. Instead of using root directly, you should create regular users and give them sudo (administrator) access only when needed. This approach helps make your server much safer.
Advantages:
- Limits damage if hacked: The root user has full control over the entire server, so it’s a big target for hackers. Disabling direct root access and using sudo for important tasks helps prevent serious damage if your server is attacked.
- Better control over who can do what: You can give each user only the permissions they need, keeping the system more secure and preventing accidental or malicious changes.
- Keeps track of actions: Using sudo means every action is logged, so you can easily see who did what on the server, which is useful for security audits and fixing problems.
To Create a Sudo User and Disable Root Access, follow the instructions in this guide: https://wiki.crowncloud.net/?How_to_Create_Sudo_User_and_Disable_Root_Access
Purchase a KVM VPS – Choose a KVM VPS plan from us that suits your requirements.
KVM SSD Plans – https://crowncloud.net/ssd_kvm.php
NVMe SSD KVM VPS Plans – https://crowncloud.net/nvme_kvm.php
AMD Ryzen SSD KVM VPS – https://crowncloud.net/ssd_amd_ryzen_kvm.php
Intel i9 12900K SSD KVM VPS Plans – https://crowncloud.net/ssd_intel_i9_kvm.php