Introduction
OpenSSH, or OpenBSD Secure Shell, is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client-server architecture. Ubuntu, like most UNIX-based operating systems, has OpenSSH built-in, allowing you to establish secure remote connections to other machines. This tutorial will guide you through the process of changing the OpenSSH configuration on an Ubuntu system.
Understanding OpenSSH Configuration File
The main configuration file for the OpenSSH server is /etc/ssh/sshd_config
. Modifications to this file dictate how the SSH server behaves regarding authentication, port assignment, encryption, and so on. Before making any changes, it is crucial to backup the original file for restoration in case of unfortunate misconfiguration.
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
Modifying SSH Config Parameters
The fundamental changes to when configuring OpenSSH can include altering the default port, restricting root login, specifying allowed users, and implementing key-based authentication. Comments in the config file are denoted by the #
symbol; remove it before the setting name to enable a particular configuration parameter.
Changing the default port from 22 to a non-standard port can be an initial step in securing your SSH server, albeit security by obscurity. Below shows how to change the default SSH port:
Port 2222
Restrict root login over SSH is another common security precaution:
PermitRootLogin no
You can also specify which users or groups are allowed to authenticate:
AllowUsers user1 user2
AllowGroups group1
Key-Based Authentication
One of the most secure methods of authenticating to an SSH server is through public key authentication. First, you will need to create a public-private key pair on the client. The following command generates an RSA key pair:
ssh-keygen -t rsa
Next, transfer the public key to the server for the user account you wish to access remotely:
ssh-copy-id user1@your-server-ip
Finally, enforce key-based authentication by altering the OpenSSH server configuration:
PubkeyAuthentication yes
PasswordAuthentication no
Applying Configuration Changes
After editing the configuration, the SSH service needs to be restarted to apply the changes:
sudo systemctl restart sshd
Testing SSH Configuration Changes
Before logging out of the server, it’s essential to test the new configuration in a new terminal window to ensure you are not locked out. If you encounter any issues, revert the changes using your backup config or log in to your console if your host provides one.
ssh -p [new-port] user1@your-server-ip
Security Tips
Adopt additional security measures such as setting up a firewall with UFW, installing fail2ban for protection against brute-force attacks, and regularly updating your system’s packages for security updates.
sudo ufw allow 2222/tcp
sudo apt-get update && sudo apt-get upgrade
sudo apt-get install fail2ban
Conclusion
With your OpenSSH server now configured according to best practices, your Ubuntu system is now much more secure against unauthorized access. Remember that configuration tweaks should be based on your usage needs and security policies; these instructions provide a starting point for securing your SSH service.