Linux - Secure SSH with Fail2ban, Key Authentication, and Advanced Security Practices
Intro
Securing SSH is critical to protect your server from unauthorized access and cyber attacks. This guide expands on basic SSH security by introducing advanced practices, including key authentication, Fail2ban configuration, and additional hardening techniques to fortify your server.
Step 1: Disable Password Authentication and Root Login
Edit the SSH configuration file:
1
sudo nano /etc/ssh/sshd_config
Make the following changes:
1
2
3
4
5
6
7
8
9
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
PermitUserEnvironment no
X11Forwarding no
AllowTcpForwarding no
LogLevel VERBOSE
MaxAuthTries 4
MaxSessions 4
- Disable Root Login: Prevent attackers from targeting the root user.
- Disable Password Authentication: Eliminates brute-force password attacks.
- Disable X11 Forwarding: Prevents graphical application exploitation.
- Limit Authentication Attempts: Reduces brute-force attack success rates.
- Set Verbose Logging: Enhances monitoring for suspicious activity.
Save and restart the SSH service:
1
sudo systemctl restart sshd
Step 2: Set Up SSH Key Authentication
Generate a Strong Key Pair
Use Ed25519 for better performance and security:
1
ssh-keygen -t ed25519 -C "[email protected]"
Alternatively, use RSA (4096 bits):
1
ssh-keygen -t rsa -b 4096 -C "[email protected]"
Copy the Public Key to the Server
1
ssh-copy-id user@your_server_ip
Or manually add the public key to ~/.ssh/authorized_keys on the server.
Secure Your Private Key
- Use a strong passphrase when generating keys.
- Store private keys securely (e.g., encrypted storage).
- Avoid embedding keys in scripts or applications.
Test the connection:
1
ssh user@your_server_ip
Step 3: Install and Configure Fail2ban
Install Fail2ban
1
sudo apt update && sudo apt install fail2ban -y
Configure Fail2ban Jail
Create or edit a custom jail configuration:
1
sudo nano /etc/fail2ban/jail.local
Add the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 5
findtime = 600
bantime = 3600
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
bantime = 86400 # Ban for one day after repeated offenses.
findtime = 86400 # Time window to track repeated offenses.
maxretry = 3 # Number of retries before banning.
Restart Fail2ban:
1
sudo systemctl restart fail2ban
Step 4: Advanced SSH Hardening Techniques
Change Default SSH Port
To reduce automated attacks, change the default port (e.g., to 2222):
1
sudo nano /etc/ssh/sshd_config
Add or modify:
1
Port 2222
Restart SSH:
1
sudo systemctl restart sshd
Note: Update firewall rules to allow the new port.
Restrict User Access
Limit SSH access to specific users or groups:
1
2
3
4
AllowUsers user1 user2@IP1 user3@IP2
AllowGroups sshusers
DenyUsers baduser
DenyGroups restrictedgroup
Enable Two-Factor Authentication (2FA)
Install Google Authenticator for an additional layer of security:
1
2
sudo apt install libpam-google-authenticator -y
google-authenticator
Edit PAM configuration:
1
sudo nano /etc/pam.d/sshd
Add:
1
auth required pam_google_authenticator.so nullok
Update /etc/ssh/sshd_config:
1
ChallengeResponseAuthentication yes
Restart SSH:
1
sudo systemctl restart sshd
Step 5: Monitor and Audit SSH Activity
Monitor Logs in Real-Time
Use tail to monitor authentication logs:
1
sudo tail -f /var/log/auth.log
Audit Existing Keys
Identify unused or shadow keys with tools like ssh-audit.
Step 6: Automate Key Management and Rotation
Use OpenSSH certificates for centralized key management.
Generate a CA Key:
1
ssh-keygen -t rsa -b 4096 -f /path/to/ca -C "CA for SSH"
Sign User Keys:
1
ssh-keygen -s /path/to/ca -I user_key_id -n username -V +52w user_key.pub
Configure Trusted CA:
Add this to /etc/ssh/sshd_config:
1
TrustedUserCAKeys /path/to/ca.pub
Restart SSH:
1
sudo systemctl restart sshd
Step 7: Verify Security Setup
Test Fail2ban
Simulate failed logins and verify bans:
1
sudo fail2ban-client status sshd
Check Firewall Rules
Ensure only necessary ports are open:
1
sudo ufw status verbose
Conclusion
By implementing these advanced techniques, you significantly enhance your server’s resilience against attacks. Regularly audit configurations, rotate keys, monitor logs, and stay updated with security patches. Remember, security is an ongoing process that requires vigilance.