How to Secure SSHD Configuration to Prevent Unauthorized Access

by ·0 Comments

Securing your server’s SSH daemon (SSHD) is crucial to protect against unauthorized access and potential security threats. In this article, we’ll explore the best practices for SSHD configuration, specifically focusing on methods to enhance security by leveraging public key authentication, disabling password authentication, preventing empty passwords, disallowing root login via SSH, and specifying the location for authorized keys. These settings ensure a robust defense mechanism for your server’s SSH access.

Enable Public Key Authentication

Public key authentication is a secure method of logging into an SSH server using cryptographic keys rather than passwords. To enable this feature, modify your SSHD configuration file to include the following line:

PubkeyAuthentication yes

This setting allows users to authenticate using SSH keys, which are more secure than traditional passwords due to their complexity and resistance to brute force attacks.

Disable Password Authentication

To further enhance the security of your SSH server, it’s advisable to disable password authentication. This means users can only connect using SSH keys, which significantly reduces the risk of password-related attacks. Add the following line to your SSHD config file:

PasswordAuthentication no

This change ensures that even if a password is compromised or guessed, the authentication will fail because password authentication is completely disabled.

Disallow Empty Passwords

Allowing empty passwords is a severe security risk that can lead to unauthorized access. To prevent users from setting empty passwords, ensure your SSHD configuration includes:

PermitEmptyPasswords no

This setting blocks the possibility of users having blank passwords, which are easy targets for attackers.

Disallow Root Login via SSH

One of the most critical settings for securing your SSH server is to disallow root logins. Logging in as the root user via SSH can be extremely risky, as it gives full control over the server. To disable root login, use:

PermitRootLogin no

This configuration prevents direct root logins, forcing users to authenticate as a regular user before switching to the root user, thus providing an additional layer of security.

Specify Authorized Keys Location

Specifying a custom location for storing authorized keys helps manage user keys more efficiently. By default, SSH looks for the authorized keys in the .ssh/authorized_keys directory of a user’s home directory. To confirm or change this setting, include the following line in your SSHD configuration:

AuthorizedKeysFile .ssh/authorized_keys

This setting helps ensure that SSH only allows connections from users with keys stored in the specified location, adding an extra layer of security by centralizing the management of authorized keys.

Conclusion

Implementing these SSHD configurations will significantly enhance the security of your SSH server by leveraging the robustness of public key authentication while eliminating weaker password-based logins. These best practices are essential steps in securing your server against unauthorized access and potential security breaches. By following these guidelines, administrators can ensure that their systems are protected by the most stringent security measures available for SSH communications.

Final config

Include /etc/ssh/sshd_config.d/*.conf
Port 22
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
Subsystem sftp  /usr/libexec/openssh/sftp-server
PasswordAuthentication no

Loading

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.