OpenSSH is a networking utility that allows the secure connectivity to a remote host via the SSH protocol. It’s made up of a number of utilities that you’re probably already familiar with, including
scp. Debian 11 can include the default setup of OpenSSH on a new installation, so it’s important to understand how to secure the SSH service from unintended consequences.
SSH is an easy target for attackers as it’s a common entry point for legitimate remote access by system administrators and users, alike. Here are a few simple steps to enhance the default security settings for the OpenSSH server on your Linux host.
Although the title of this post states Debian 11, these settings are specific to OpenSSH and should be the same across other Debian/Ubuntu distributions.
Before you can make OpenSSH secure, you’ll need to have it installed, and have the configuration open.
$ sudo apt install openssh-server
You’ll find the SSH configuration file at
/etc/ssh/sshd_config. You can open the file for editing in
nano with the command below.
$ sudo nano /etc/ssh/sshd_config
1. Disable PasswordAuthentication
PasswordAuthentication is a very important first step. SSH brute force attacks are extremely common due to the power of computer hardware, and the amount of leaked password lists that exist. Find the line in your SSH configuration, uncomment it, and make sure it’s set to
no. If the line doesn’t exist you can simply add it.
2. Disable PermitEmptyPasswords
Find the line that starts with
PermitEmptyPasswords and set it to
no. This will prevent any accounts without passwords from bring utilized by SSH.
3. Disable PermitRootLogin
Next, we’ll disable
PermitRootLogin. As implied, this setting controls whether the root account can login via SSH. Change this setting to
no; just make sure that you have an alternate sudoer account available with an SSH key in that accounts
Find the line below line, uncomment it, and make sure it’s set to
4. Enable PubkeyAuthentication
PasswordAuthentication disabled, we’ll enable
PubKeyAuthentication to ensure that SSH explicitly knows that public key authentication is expected. Find the line below line, uncomment it, and make sure it’s set to
5. Optional: Change the default SSH port
Changing the default SSH port is not a ‘security’ enhancement, per se. It will, however, make your host less apt to be found by internet scanners looking for SSH on default ports.
You’ll find the
Port line near the very top of your SSH configuration. Any port in the
1025-65565 range should work for you.
#Port 22 Port 2200
6. Restart The SSH Service
You’ll need to restart the SSH service in order for the changes to take affect.
$ sudo systemctl restart sshd
/etc/ssh/sshd_config file contains a variety of settings that can be used to explicitly configure settings, as well as add new features, like Kerberos integration. The full list of settings is available on the sshd_config Debian Man page.