The acronym SSH, along side a padlock

Securing OpenSSH Server on Debian 11

OpenSSH is a networking utility that allows the secure connectivity to a remote host via the SSH protocol. It’s made up of a number of utilities that you’re probably already familiar with, including ssh-keygen and scp. Debian 11 can include the default setup of OpenSSH on a new installation, so it’s important to understand how to secure the SSH service from unintended consequences.

SSH is an easy target for attackers as it’s a common entry point for legitimate remote access by system administrators and users, alike. Here are a few simple steps to enhance the default security settings for the OpenSSH server on your Linux host.

Although the title of this post states Debian 11, these settings are specific to OpenSSH and should be the same across other Debian/Ubuntu distributions.

0. Requisites

Before you can make OpenSSH secure, you’ll need to have it installed, and have the configuration open.

$ sudo apt install openssh-server

You’ll find the SSH configuration file at /etc/ssh/sshd_config. You can open the file for editing in nano with the command below.

$ sudo nano /etc/ssh/sshd_config

1. Disable PasswordAuthentication

Disabling PasswordAuthentication is a very important first step. SSH brute force attacks are extremely common due to the power of computer hardware, and the amount of leaked password lists that exist. Find the line in your SSH configuration, uncomment it, and make sure it’s set to no. If the line doesn’t exist you can simply add it.

PasswordAuthentication no

2. Disable PermitEmptyPasswords

Find the line that starts with PermitEmptyPasswords and set it to no. This will prevent any accounts without passwords from bring utilized by SSH.

PermitEmptyPasswords no

3. Disable PermitRootLogin

Next, we’ll disable PermitRootLogin. As implied, this setting controls whether the root account can login via SSH. Change this setting to no; just make sure that you have an alternate sudoer account available with an SSH key in that accounts ~/.ssh/authorized_keys.

Find the line below line, uncomment it, and make sure it’s set to no.

PermitRootLogin no

4. Enable PubkeyAuthentication

With PasswordAuthentication disabled, we’ll enable PubKeyAuthentication to ensure that SSH explicitly knows that public key authentication is expected. Find the line below line, uncomment it, and make sure it’s set to yes.

PubkeyAuthentication yes

5. Optional: Change the default SSH port

Changing the default SSH port is not a ‘security’ enhancement, per se. It will, however, make your host less apt to be found by internet scanners looking for SSH on default ports.

You’ll find the Port line near the very top of your SSH configuration. Any port in the 1025-65565 range should work for you.

#Port 22
Port 2200

6. Restart The SSH Service

You’ll need to restart the SSH service in order for the changes to take affect.

$ sudo systemctl restart sshd

Other Settings

The /etc/ssh/sshd_config file contains a variety of settings that can be used to explicitly configure settings, as well as add new features, like Kerberos integration. The full list of settings is available on the sshd_config Debian Man page.

Proper Permissions of ~/.ssh

If you accidentally changed the permissions of your ~/.ssh folder, or created the folder without setting the appropriate permissions your operating system may not be able to read your private key files. In order to prevent them from being read by other accounts, it’s important to set the appropriate permissions on both Private and Public Keys.

Here are the appropriate permissions to have on your ~/.ssh and its standard files.

  • ~./ssh (drwx——) – 600
  • ~/.ssh/authorized_keys (drwx——) – 600
  • ~/.ssh/[Private Key] (-rw——-) – 600
  • ~/.ssh/[Public Key] (-rw-r–r–) – 644
  • ~/.ssh/known_hosts (-rw-r–r–) – 644

You can test your identity file using the ssh to connect to the account on the server that the private key is associated with.

~$ ssh churppy@[Server] -i ~/.ssh/[Private Key]