Linux

The acronym SSH, along side a padlock

Securing OpenSSH Server on Debian 11

OpenSSH is a networking utility that allows the secure connectivity to a remote host via the SSH protocol. It’s made up of a number of utilities that you’re probably already familiar with, including ssh-keygen and scp. Debian 11 can include the default setup of OpenSSH on a new installation, so it’s important to understand how to secure the SSH service from unintended consequences.

SSH is an easy target for attackers as it’s a common entry point for legitimate remote access by system administrators and users, alike. Here are a few simple steps to enhance the default security settings for the OpenSSH server on your Linux host.

Although the title of this post states Debian 11, these settings are specific to OpenSSH and should be the same across other Debian/Ubuntu distributions.

0. Requisites

Before you can make OpenSSH secure, you’ll need to have it installed, and have the configuration open.

$ sudo apt install openssh-server

You’ll find the SSH configuration file at /etc/ssh/sshd_config. You can open the file for editing in nano with the command below.

$ sudo nano /etc/ssh/sshd_config

1. Disable PasswordAuthentication

Disabling PasswordAuthentication is a very important first step. SSH brute force attacks are extremely common due to the power of computer hardware, and the amount of leaked password lists that exist. Find the line in your SSH configuration, uncomment it, and make sure it’s set to no. If the line doesn’t exist you can simply add it.

PasswordAuthentication no

2. Disable PermitEmptyPasswords

Find the line that starts with PermitEmptyPasswords and set it to no. This will prevent any accounts without passwords from bring utilized by SSH.

PermitEmptyPasswords no

3. Disable PermitRootLogin

Next, we’ll disable PermitRootLogin. As implied, this setting controls whether the root account can login via SSH. Change this setting to no; just make sure that you have an alternate sudoer account available with an SSH key in that accounts ~/.ssh/authorized_keys.

Find the line below line, uncomment it, and make sure it’s set to no.

PermitRootLogin no

4. Enable PubkeyAuthentication

With PasswordAuthentication disabled, we’ll enable PubKeyAuthentication to ensure that SSH explicitly knows that public key authentication is expected. Find the line below line, uncomment it, and make sure it’s set to yes.

PubkeyAuthentication yes

5. Optional: Change the default SSH port

Changing the default SSH port is not a ‘security’ enhancement, per se. It will, however, make your host less apt to be found by internet scanners looking for SSH on default ports.

You’ll find the Port line near the very top of your SSH configuration. Any port in the 1025-65565 range should work for you.

#Port 22
Port 2200

6. Restart The SSH Service

You’ll need to restart the SSH service in order for the changes to take affect.

$ sudo systemctl restart sshd

Other Settings

The /etc/ssh/sshd_config file contains a variety of settings that can be used to explicitly configure settings, as well as add new features, like Kerberos integration. The full list of settings is available on the sshd_config Debian Man page.

The logo for PHP version 8.0

Installing PHP8.0-FPM on Debian 11

PHP-FPM is a session manager used for handling the use of multiple versions of PHP, on the same host. PHP-FPM is commonly used by web hosting providers to provide multiple versions of PHP on the same shared host, but PHP-FPM is great when you’re running two different PHP applications on the same server that require different PHP versions.

PHP7.4 is the only current version of PHP-FPM available in the default Debian 11 repositories, as seen in the screenshot below. So, some additional steps are required to make PHP8.0 available

Search of the default Debian 11 repositories looking for PHP-FPM versions

1. Update Repositories and Install the Prerequisites

First, install a few software libraries that are required in order to add the new software repository, safely.

$ sudo apt update
$ sudo apt install -y install apt-transport-https lsb-release ca-certificates curl

2. Import the Repository Key

In order for apt to communicate with the repository securely, it needs the public key available for the repo. The below command adds the public key for the sury-php repository to apt.

A software developer by the name of Ondřej Surý who has been providing the official builds of PHP on both Ubuntu and Debian repos via his website since 2000.

$ sudo curl -sSLo /usr/share/keyrings/deb.sury.org-php.gpg https://packages.sury.org/php/apt.gpg

3. Add the Repository

This will create the appropriate package details for your kernel version and save it in /etc/apt/sources.list.d/sury-php.list.

$ sudo sh -c 'echo "deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'

4. Update APT Repositories

The following command updates the local APT cache from the available repositories.

$ sudo apt update

5. Install PHP8.0-FPM

Now, you can simply install PHP8.0-fpm via APT.

$ sudo apt install php8.0-fpm

PHP-FPM is installed to /etc/php/php8.0/fpm. The php.ini file contained within that directory controls the PHP configuration for instances of FPM running that version of PHP.

Proper Permissions of ~/.ssh

If you accidentally changed the permissions of your ~/.ssh folder, or created the folder without setting the appropriate permissions your operating system may not be able to read your private key files. In order to prevent them from being read by other accounts, it’s important to set the appropriate permissions on both Private and Public Keys.

Here are the appropriate permissions to have on your ~/.ssh and its standard files.

  • ~./ssh (drwx——) – 600
  • ~/.ssh/authorized_keys (drwx——) – 600
  • ~/.ssh/[Private Key] (-rw——-) – 600
  • ~/.ssh/[Public Key] (-rw-r–r–) – 644
  • ~/.ssh/known_hosts (-rw-r–r–) – 644

You can test your identity file using the ssh to connect to the account on the server that the private key is associated with.

~$ ssh churppy@[Server] -i ~/.ssh/[Private Key]