Securing OpenSSH Server on Debian 11
OpenSSH is a networking utility that allows the secure connectivity to a remote host via the SSH protocol. It’s made up of a number of utilities that you’re probably already familiar with, including ssh-keygen
and scp
. Debian 11 can include the default setup of OpenSSH on a new installation, so it’s important to understand how to secure the SSH service from unintended consequences.
SSH is an easy target for attackers as it’s a common entry point for legitimate remote access by system administrators and users, alike. Here are a few simple steps to enhance the default security settings for the OpenSSH server on your Linux host.
Although the title of this post states Debian 11, these settings are specific to OpenSSH and should be the same across other Debian/Ubuntu distributions.
0. Requisites
Before you can make OpenSSH secure, you’ll need to have it installed, and have the configuration open.
$ sudo apt install openssh-server
You’ll find the SSH configuration file at /etc/ssh/sshd_config
. You can open the file for editing in nano
with the command below.
$ sudo nano /etc/ssh/sshd_config
1. Disable PasswordAuthentication
Disabling PasswordAuthentication
is a very important first step. SSH brute force attacks are extremely common due to the power of computer hardware, and the amount of leaked password lists that exist. Find the line in your SSH configuration, uncomment it, and make sure it’s set to no
. If the line doesn’t exist you can simply add it.
PasswordAuthentication no
2. Disable PermitEmptyPasswords
Find the line that starts with PermitEmptyPasswords
and set it to no
. This will prevent any accounts without passwords from bring utilized by SSH.
PermitEmptyPasswords no
3. Disable PermitRootLogin
Next, we’ll disable PermitRootLogin
. As implied, this setting controls whether the root account can login via SSH. Change this setting to no
; just make sure that you have an alternate sudoer account available with an SSH key in that accounts ~/.ssh/authorized_keys
.
Find the line below line, uncomment it, and make sure it’s set to no
.
PermitRootLogin no
4. Enable PubkeyAuthentication
With PasswordAuthentication
disabled, we’ll enable PubKeyAuthentication
to ensure that SSH explicitly knows that public key authentication is expected. Find the line below line, uncomment it, and make sure it’s set to yes
.
PubkeyAuthentication yes
5. Optional: Change the default SSH port
Changing the default SSH port is not a ‘security’ enhancement, per se. It will, however, make your host less apt to be found by internet scanners looking for SSH on default ports.
You’ll find the Port
line near the very top of your SSH configuration. Any port in the 1025-65565
range should work for you.
#Port 22
Port 2200
6. Restart The SSH Service
You’ll need to restart the SSH service in order for the changes to take affect.
$ sudo systemctl restart sshd
Other Settings
The /etc/ssh/sshd_config
file contains a variety of settings that can be used to explicitly configure settings, as well as add new features, like Kerberos integration. The full list of settings is available on the sshd_config Debian Man page.