A Practical Guide to Securing SSH on Ubuntu 24.04
The Secure Shell (SSH) protocol is the primary gateway to managing your Ubuntu 24.04 server. It’s powerful, convenient, and the main target for unauthorized access attempts. Leaving your SSH server with its default settings is like leaving the front door of your house unlocked. This guide provides a step-by-step process to harden your SSH configuration, significantly improving your server’s security posture.
We will focus on three core principles of SSH hardening: removing direct root access, enforcing modern key-based authentication, and restricting access to trusted locations.
Step 1: Create a Sudo User and Disable Root Login
Logging in directly as the root user is a major security risk. The root username is a known quantity for attackers, making it the primary target for brute-force attacks. The best practice is to perform administrative tasks through a standard user account with sudo privileges.
First, create a new user. Replace your_user with your desired username:
adduser your_user
You will be prompted to create a password and fill in some optional user information. Once created, grant this new user administrative privileges by adding them to the sudo group:
usermod -aG sudo your_user
Now, it’s crucial to test this new user’s permissions before moving on. Open a new terminal window and log in as the new user. Try running a command with sudo, such as sudo whoami. If it returns root after you enter your password, the user is configured correctly.
Step 2: Implement SSH Key-Based Authentication
Passwords, even complex ones, can be cracked. SSH keys provide a far more secure authentication method. They consist of a public and private key pair. The public key is placed on the server, while the private key remains securely on your local machine. The server uses this pair to verify your identity without ever needing a password.
Generate Your SSH Key Pair
If you don’t already have an SSH key, generate one on your local computer (not the server). The ED25519 algorithm is modern, fast, and highly secure.
ssh-keygen -t ed25519 -C "[email protected]"
Press Enter to accept the default file location and, for maximum security, enter a strong passphrase when prompted. This passphrase encrypts your private key, acting as a final layer of protection if your local machine is ever compromised.
Copy Your Public Key to the Server
The easiest way to install your public key on the Ubuntu server is with the ssh-copy-id command. Replace your_user and your_server_ip accordingly:
ssh-copy-id your_user@your_server_ip
You will be prompted for your user’s password one last time. After this, you should be able to log in to your server using your SSH key without a password prompt (though you may be asked for your key’s passphrase if you set one).
Step 3: Harden the SSH Daemon Configuration
With a sudo user and SSH keys in place, it’s time to lock down the SSH service itself. These changes are made in the main SSH configuration file, /etc/ssh/sshd_config.
Open the file with a text editor like nano:
sudo nano /etc/ssh/sshd_config
Make the following critical changes:
Disable Direct Root Login: This is one of the most important security steps. Find the line
#PermitRootLogin prohibit-passwordand change it to:
PermitRootLogin noDisable Password Authentication: This change forces all users to authenticate using SSH keys, rendering brute-force password attacks useless. Find the line
#PasswordAuthentication yesand change it to:
PasswordAuthentication no(Optional but Recommended) Change the Default Port: Automated bots constantly scan the default SSH port (22). Changing it to a non-standard port (e.g., between 1025 and 65535) can dramatically reduce the number of malicious login attempts. Find the line
#Port 22and change it to something like:
Port 2222
After making these changes, save the file and exit the editor.
Apply and Test Your New Configuration
Before you apply the changes, it’s a good idea to test the configuration for syntax errors:
sudo sshd -t
If no errors are reported, you can safely restart the SSH service to apply the new settings:
sudo systemctl restart sshd
CRITICAL: Do not close your current terminal session yet. Open a new terminal and try to log in. This ensures that if you made a mistake, you still have an active session to fix it. If you changed the port, remember to specify it in your login command: ssh -p 2222 your_user@your_server_ip.
Step 4: Restrict Access with a Firewall
Even with a hardened configuration, you can go a step further by restricting which IP addresses are allowed to connect to your SSH port. This is best handled with a firewall like UFW (Uncomplicated Firewall), which is standard on Ubuntu.
If you changed the SSH port, you must first allow traffic on the new port. For example, if you chose port 2222:
sudo ufw allow 2222/tcp
Next, you can create a rule that only allows your specific home or office IP address to connect.
sudo ufw allow from YOUR_STATIC_IP to any port 2222
Replace YOUR_STATIC_IP with your actual IP address. This rule explicitly allows your IP while the default UFW policy (deny incoming) will block all others. If you have already set a broad “allow SSH” rule, you may need to delete it first.
Conclusion
By following these steps, you have fundamentally improved the security of your Ubuntu 24.04 server. You have created a dedicated administrative user, eliminated password-based attacks by enforcing SSH key authentication, and hidden your server from automated scanners by changing the default port and implementing firewall rules. These measures transform your server’s primary entry point from a common target into a hardened, secure gateway. Regular security maintenance is an ongoing process, but these foundational steps are essential for any production server.
Source: https://infotechys.com/harden-ssh-ubuntu-24-04/
