SSH Configuration

As soon as a computer or a device is connected to the Internet, it becomes a target for bots or hackers trying to find weaknesses or default settings. The Secure Shell (SSH) is used to access a Linux Server remotely and its default port is 22. Since this is a well-known port and a great start for attacters, to reduce the incoming attacks to our server, it is a good practice to change the default SSH port immediately.

We will change the default SSH port 22 to 11111. You may consider some other port numbers but choosing the port number between 1024 and 65535 is a good practice. Keep in mind that ports between 0 and 1023 are reserved for privileged users / services and designated as well-known ports. So it may not be a good idea to pick a port number in between this privileged interval.

Before proceeding any further, please be sure that the target server accepting connections to the new port number since SSH may be the only one option for connection and if the new port number you choose is restricted by a firewall or used by some other process, you mail fail to connect your production server.

First, check if your firewall is running and check the name of the default zone using the following commands:

$ sudo firewall-cmd --state
$ sudo firewall-cmd --get-active-zones

 

1. Firewall Configuration

To add ssh service and allow remote access to port 11111, use the following commands. You can add ssh service (if NOT added already) and configure the firewall to allow connections using the new ssh port.

$ sudo firewall-cmd --permanent --add-service=ssh
$ sudo firewall-cmd --zone=public --permanent --add-port=11111/tcp
$ sudo firewall-cmd --permanent --service="ssh" --add-port "11111/tcp"
$ sudo firewall-cmd --reload
 
$ sudo firewall-cmd --zone=public --list-services
$ sudo firewall-cmd --zone=public --list-ports

 

2. Disable Selinux

Security-Enhanced Linux (SELinux) is a security architecture for Linux® systems that allows administrators to have more control over who can access the system. There are 3 different states of selinux. These are enforcing, permissive and disabled. Check if selinux is active using one of the following commands:

$ sudo sestatus
$ sudo getenforce

If your selinux state is enforcing, change its state to either permissive or disabled. You may disable it using the following command:

$ sudo setenforce 0

This command disables the running state of selinux. In order to keep this state after restart of the server you need to edit selinux config file as follows:

$ sudo vi /etc/selinux/config

Find the line starting with SELINUX (without # prefix) and edit it as:

SELINUX=disabled

Save and close the file.

 

3. Editing SSH Configuration:

In order to change the SSH port, edit the SSHD (SSH server daemon) configuration file as follows:

$ sudo vi /etc/ssh/sshd_config

This configuration file is a long file with many comments. FInd the line stating “#Port 22” and change it to “Port 11111” (dont forget to remove hash sign). If there is no such line, add one either the top or the bottom of the configuration file and if there is a # sign (comment) at the beginning of the line, delete it:

For the changes to take effect, restart the sshd service. (Keep in mind that only root users can listen on ports below 1024)

$ sudo systemctl restart sshd

After changing the port, test the connection:

ssh -p 11111 user@server_ip

After verifying that the new port is accessible, we remove the default SSH port 22 from the firewall configuration to reject future connections to the old port:

$ sudo firewall-cmd --permanent --service="ssh" --remove-port "22/tcp"
$ sudo firewall-cmd --reload

 

4. Setup session idle timeout (inactivity timeout) for ssh to auto logout

If you are connected to a server using SSH, depending on the SSH client you use, you probably noticed that after some time of inactivity, the connection is lost and you will be prompted to re-login. The inactivity timeout for SSH is related to the configuration. There are two options about ssh inactivity in /etc/ssh/sshd_config file:

  • ClientAliveInterval
  • ClientAliveCountMax

The timeout value is calculated by multiplying ClientAliveInterval with ClientAliveCountMax.

TimeoutInterval = ClientAliveInterval * ClientAliveCountMax

The meaning of the two parameters is explained in the man page of sshd_config as:

ClientAliveCountMax: Sets the number of client alive messages which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. This option applies to protocol version 2 only. 

ClientAliveInterval: Sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. This option applies to protocol version 2 only.

You can extend the timeout duration by changing these parameters. Edit the sshd_config file as follows:

$ sudo vi /etc/ssh/sshd_config

ClientAliveInterval 5m      # 5 minutes
ClientAliveCountMax 2       # 2 times

Save and close the file and restart the ssh service:

$ sudo systemctl restart sshd.service

This would make the session timeout in 10 minutes as the ClientAliveCountMax value is multiplied by the ClientAliveInterval value.

 

5. Add Public Key Authentication (Recommended)

To increase the security of your server, you can set up public key authentication for your user. Setting this up will increase the security of your server by requiring a private SSH key to log in.

Generate a Key Pair

If you do not already have an SSH key pair, which consists of a public and private key, you need to generate one. To generate a new key pair, enter the following command at the terminal of your local machine:

$ ssh-keygen

Note: If you leave the passphrase blank, you will be able to use the private key for authentication without entering a passphrase. If you enter a passphrase, you will need both the private key and the passphrase to log in. Securing your keys with passphrases is more secure, but both methods have their uses and are more secure than basic password authentication.

This generates a private key (id_rsa) and a public key (id_rsa.pub) in the .ssh directory of the users home directory. Remember that the private key should not be shared with anyone who should not have access to your servers.

Copy the Public Key

After generating an SSH key pair, you will want to copy your public key to your new server. Assuming you generated an SSH key pair using the previous step, use the following command at the terminal of your local machine to print your public key (id_rsa.pub):

$ cat ~/.ssh/id_rsa.pub

This should print your public SSH key. Select the public key, and copy it to your clipboard.

Add Public Key to New Remote User

To enable the use of SSH key to authenticate as the new remote user, you must add the public key to a special file in the user’s home directory. On the remote server, as the root user, enter the following command to switch to the new user (substitute your own username):

$ su – demoUser

Now you will be in your new user’s home directory. Create a new directory called .ssh and restrict its permissions with the following commands:

$ mkdir .ssh
$ chmod 700 .ssh

Now create a file in .ssh called authorized_keys with a text editor. And paste the public key contents previously copied to clipboard.

$ vi .ssh/authorized_keys

Save and exit the file. Now restrict the permissions of the authorized_keys file with this command:

$ chmod 600 .ssh/authorized_keys

Now you may SSH login as your new user, using the private key as authentication.