- Don't use the default port 22
- Ban brute force attackers
- Use 2FA verification codes
- Use ssh keys instead of password to log in via ssh
- Set basic firewall rules
Replace the standard ssh port Port 22 with some other in /etc/ssh/sshd_config, say 22222. restart ssh sudo service sshd restart.
Now ban for 10 minutes if someone makes multiple (10) attemps to log in:
sudo apt install fail2ban
cd /etc/fail2ban
sudo cp fail2ban.conf fail2ban.local
sudo nano fail2ban.localAnd add the following
[sshd]
enabled = true
port = 22222
filter = sshd
logpath = /var/log/auth.log
maxretry = 10
bantime = 600And restart fail2ban sudo service fail2ban restart
Now configure 2FA. Install sudo apt install libpam-google-authenticator, Run google-authenticator and scan the qr in your mobile phone app. Edit sudo nano /etc/pam.d/sshd and comment out @include common-auth. At the bottom of the file add auth required pam_google_authenticator.so.
We won't use our password to login via ssh. Instead we will import our public ssh keys from github or gitlab to log in via ssh. In my case I am importing my public keys from github.
ssh-import-id gh:thebeachlab
Now edit sudo nano /etc/ssh/sshd_config and add/modify:
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,password publickey,keyboard-interactive
PasswordAuthentication no
PermitRootLogin noRestart the service sudo service sshd restart
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22222/tcp comment 'SSH'
sudo ufw allow http
sudo ufw allow https
sudo ufw enable
sudo ufw reloadOptionally drop pings sudo nano /etc/ufw/before.rules and add
-A ufw-before-input -p icmp --icmp-type echo-request -j DROPAnd again sudo ufw reload