In this video, you will learn how to secure SSH (Secure Shell) access on an Ubuntu server, a critical task for protecting your server from unauthorized access.
IT expert Grant Knoetze will walk you through the important steps, such as disabling root login, changing the default SSH port, setting up SSH key authentication, and using tools like Fail2Ban to protect against brute-force attacks. You will also learn how to configure your firewall (UFW) to limit access to trusted IP addresses.
By the end of the tutorial, you will have a secure SSH setup, ensuring your server remains safe from potential threats.
The following transcript has been edited for length and clarity.
Subscribe to ITPro Today’s YouTube channel for Linux tutorials and more.
Transcript:
Grant Knoetze: Hello, and welcome to this lesson on securing Secure Shell, or SSH, access for your Ubuntu Server.
SSH is a powerful tool that allows you to manage remote servers securely. However, if misconfigured, it can be vulnerable to attacks. Today, I will walk you through the essential steps to securing SSH access on your Ubuntu server and protecting your server from unauthorized access.
Step 1: Update Ubuntu Server
Before we begin, always ensure your Ubuntu server is up to date. This step will ensure that you have the latest security patches.
How can we update and upgrade the server? So, apt is the package manager in Debian-based distributions. I can type in:
sudo apt update && sudo apt upgrade -yI hit Enter, and it is going to work.
Step 2: Back up SSH Configuration
Now that we have successfully updated and upgraded our Ubuntu server, we will make sure we back up our SSH configuration file before we make any changes:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bakThis way, you can quickly restore the SSH configuration file if something goes wrong.
Step 3: Disable Root Login
One thing you should always do is disable root login over SSH. This step prevents attackers from trying to brute-force their way into your Ubuntu server using the root account.
Open the SSH configuration file using the following command:
sudo nano /etc/ssh/sshd_configI like to use the Nano editor. You can use any text or code editor that you prefer.
Hit Enter, and we can see that we opened our SSH configuration file. We must find the line that says “PermitRootLogin” and set it to “no.” We can see that a lot has been commented out (using #). If something is commented out, the program will ignore it when it runs. If it is uncommented, it’s going to be looked at.
For PermitRouteLogin, we can just put the “no” flag:
PermitRootLogin noI hit Ctrl+O to save and then Ctr+X to exit Nano.
Step 4: Change the Default SSH Port
Moving forward, what we can do now after having done that is change the default SSH port. By default, SSH uses Port 22, which is widely known and often targeted by attackers. A simple but effective measure is to change the SSH port to something nonstandard.
To do this, we can use the same command. I am using Nano to open my SSH configuration file. Then what I can do is where it says, “Port 22,” we can change this to something else nonstandard. So, I will change it to “Port 2200.” I am going to save and exit.
Step 5: Restart the SSH Service
After initiating these changes, we must restart the SSH service. You can use systemctl or service. Both are suitable for this. I am going to use systemctl and type in:
sudo systemctl restart sshI can see that it restarted. I can get the status on SSH by typing:
sudo systemctl statusWe can see that the status is active.
Step 6: Update Firewall Rules
Remember to allow the new ports in your firewall. I will allow port 2200 and disable port 22. You can easily use the uncomplicated firewall (UFW). We went through the uncomplicated firewall in our previous video. From the command line, you type in:
sudo ufw allow 2200/tcpThere is an existing rule, so it skipped adding it. If it needed to add the rule, it would have added it.
We can go ahead and delete any TCP traffic over port 22:
sudo ufw allow 22/tcpI hit Enter. I can see that there is a nonexistent rule because I have already deleted it. I have already disallowed TCP traffic over port 22. If you have not, it will do it for you.
Let's enable the firewall and limit access. Speaking of firewalls, let's ensure the firewall is enabled and properly configured. If UFW is not installed, you can install it with:
sudo apt install ufwYou can then enable UFW with the following command:
sudo ufw enableIt will tell us that the firewall is active and enabled on system startup.
Step 7: Limit SSH Access to Specific IPs
Limit SSH access to specific IP addresses, especially if you have a fixed IP. This way, only known or trusted IPs can connect via SSH. So, we do this with UFW, the uncomplicated firewall. I type in the following command and give my IP address:
sudo ufw allow from 192.168.41.1.1 to any port 2200I hit Enter, and it tells me the rule has been added.
Step 8: Enable SSH Key Authentication
Let's talk a little bit more about SSH key authentication. It is a good idea to enhance security by using SSH key authentication instead of a password. Doing so makes it nearly impossible for an attacker to brute-force your Ubuntu server. I type in:
sudo ssh-keygen -t rsa -b 4096I hit Enter. It generates a public/private RSA key pair. For purposes of this demonstration, I am going to save it in /home. There is a folder called /ssh_key_pairs. Our key pair has been saved. You can now set it up on your server. You can copy this anywhere that you like using the copy command.
Step 9: Disable Password Authentication
After setting up SSH key authentication, you can test it by trying to log into your Ubuntu server. If successful, you can disable password authentication altogether for better security.
To disable password authentication, we can open our configuration file in Nano, as before. We can search for “#PasswordAuthentication.” We can uncomment it. Then we can add the no field to it at the end:
PasswordAuthentication noI press Ctrl+O to write and Ctrl+X to exit. Now password authentication has been disabled.
Once again, we need to restart the SSH service. We use systemctl as we did before:
sudo systemctl restart sshThose changes have now taken effect.
Step 10: Install Fail2Ban
Finally, let's install Fail2Ban. Fail2Ban is a tool that automatically bans IP addresses after multiple failed login attempts and helps to defend against brute-force attacks.
It is very simple. From the command line, you type in:
sudo apt install fail2banI have it already installed, so it is just going to upgrade it if it needs to. It didn't need to upgrade it, but it will install it if you don't have it.
Once installed, it works out of the box to protect SSH. You can adjust its settings by editing the configuration file. The configuration file is found in /etc.
Let's change the directory to /etc, enter ls, and change the directory (cd) to /fail2ban. Inside /fail2ban, we can ls and see that jail.conf is there. We can use sudo nano to open jail.conf if we want to edit the settings for Fail2Ban.
Conclusion
That's it. By following these steps, you significantly improved the security of your SSH access. Always monitor your Ubuntu server for unusual activity and stay updated with the latest security patches.
Thanks for watching. If you found this helpful, “like” and subscribe for more tutorials. Goodbye for now.
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.