In today’s connected world, secure remote access to servers is crucial for system administrators, developers, and cybersecurity professionals. One of the most commonly used methods for this is SSH (Secure Shell), a network protocol that provides secure access over unsecured networks. Setting up a secure SSH server on Ubuntu helps you manage your server remotely, whether it’s for software development, maintenance, or security purposes.
In this guide, we’ll walk you through the process of setting up and securing an SSH server on Ubuntu, with clear, step-by-step instructions. By the end, you’ll have a fully functional and secure SSH environment that’s ready for use.
What Is SSH and Why Is It Important?
SSH, or Secure Shell, is a cryptographic network protocol designed to enable secure communication over an unsecured network. It is most often used for:
- Remote server access: Allows system administrators to log into servers securely.
- File transfers: Using SCP (Secure Copy) or SFTP (SSH File Transfer Protocol).
- Running commands remotely: Admins can manage servers without needing physical access.
SSH is critical because it encrypts data, making it nearly impossible for malicious actors to intercept passwords, commands, or data being transmitted. For any Linux-based server, setting up SSH is one of the first tasks, and securing it is equally important.
Prerequisites
Before setting up the SSH server, ensure you meet the following requirements:
- A running Ubuntu system: This guide is based on Ubuntu 20.04, but the steps should be similar for other versions.
- Root or sudo access: You’ll need administrative privileges to install and configure SSH.
- An internet connection: Required for downloading and installing the necessary packages.
Step 1: Install SSH Server on Ubuntu
By default, SSH might not be installed on your Ubuntu system. You can install it easily by following these steps:
- Update the package list:
Start by updating the package repository to ensure that you have the latest versions available.
sudo apt update- Install the OpenSSH server:
The OpenSSH server package provides the SSH protocol functionality. To install it, run the following command:
sudo apt install openssh-server- Check the SSH service status:
Once installed, you can check if SSH is running using:
sudo systemctl status sshIf it’s running, you should see a message indicating that the service is active. If not, start the SSH service with:
sudo systemctl start sshStep 2: Basic SSH Server Configuration
Now that SSH is installed and running, it’s time to configure it. The main configuration file for the SSH server is located at /etc/ssh/sshd_config. To make changes, you’ll need to edit this file:
- Open the configuration file:
sudo nano /etc/ssh/sshd_config- Set the port number (optional):
By default, SSH runs on port 22, which is well known and often targeted by attackers. To enhance security, you can change the port number to something less common:
Port 2222This change reduces the chances of automated attacks that target default ports.
- Disable root login:
Logging in as the root user over SSH is a significant security risk. You can disable it by finding the line:
PermitRootLogin yesAnd changing it to:
PermitRootLogin no- Limit user access:
If you want only certain users to be able to access your server via SSH, you can specify which users are allowed to log in by adding:
AllowUsers username1 username2- Save and exit:
After making the changes, save the file by pressingCtrl + X, followed byY, and then pressEnter. - Restart the SSH service:
For the changes to take effect, restart the SSH server:
sudo systemctl restart sshStep 3: Secure SSH with Key-Based Authentication
Password-based authentication, while convenient, is less secure than key-based authentication. SSH keys are more resistant to brute force attacks and provide an added layer of security.
Step 3.1: Generate SSH Key Pair
To use key-based authentication, you first need to generate a pair of keys (private and public). Here’s how you can generate them:
- On the client machine, open a terminal and run the following command:
ssh-keygen -t rsa -b 4096You will be prompted to choose a location to save the key and to set a passphrase for additional security.
- Copy the public key to the Ubuntu server using:
ssh-copy-id username@server_ip_addressReplace username and server_ip_address with your actual login details. This command will add the public key to the server’s ~/.ssh/authorized_keys file.
Step 3.2: Disable Password-Based Authentication
Once you have SSH key authentication working, it’s a good idea to disable password-based authentication entirely:
- Open the SSH configuration file:
sudo nano /etc/ssh/sshd_config- Find the line
PasswordAuthentication yesand change it to:
PasswordAuthentication no- Save the file and restart the SSH service:
sudo systemctl restart sshNow, your server will only accept SSH key-based logins, which makes it significantly more secure.
Step 4: Additional Security Tips
Securing your SSH server doesn’t end with key-based authentication. Here are a few additional tips to further harden your setup:
- Enable UFW (Uncomplicated Firewall):
Ubuntu comes with a built-in firewall tool called UFW. You can enable it and allow your chosen SSH port:
sudo ufw allow 2222/tcp
sudo ufw enable- Use Fail2Ban:
Fail2Ban is a tool that monitors SSH logs for failed login attempts and bans IPs that appear to be engaging in brute force attacks.
sudo apt install fail2banOnce installed, it automatically protects your server.
- Limit login attempts:
Another option is to limit the number of SSH login attempts to reduce the risk of brute force attacks. You can adjust the settings by adding this line to your SSH configuration file:
MaxAuthTries 3Conclusion
Setting up a secure SSH server on Ubuntu is an essential step for managing your server remotely. By following this guide, you’ve not only learned how to install and configure SSH, but also how to enhance its security using best practices like key-based authentication, custom ports, and limiting user access.
Remember, security is an ongoing process. Regularly review your SSH configurations, apply updates, and stay informed about new vulnerabilities. With a secure SSH setup, you can confidently manage your Ubuntu server from anywhere while minimizing security risks.