SSHD service is used to secure communications between two untrusted hosts over an insecure network or internet.

In this post we are going to setup a new sshd service from scratch and we learn how to harden this service.

Step 1: Install openssh-server

First to install the sshd service, you need to update your repository list. Here I'm using Debian:

$ sudo apt update

Then simply run the following command:

$ sudo apt install openssh-server

After installation you can check its status with the following command:

$ sudo systemctl status sshd
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2021-12-26 13:19:49 CET; 6h age
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 436 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 439 (sshd)
      Tasks: 1 (limit: 2341)
     Memory: 7.1M
        CPU: 295ms
     CGroup: /system.slice/ssh.service
             └─439 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

The Active status shows if the daemon is running or not. If it's not active you can start the sshd service with sudo systemctl start sshd command.

Step 2: Connect To The SSH Server

To connect to the server first you need to know the IP address of it. Simply run ip a to get the IP address. Now run this command on the second machine to connect to the SSH server.

$ ssh [user]@[server_ip_address]

Step 3: Hardening The SSH Server

To configure the SSH server, you can either edit the /etc/ssh/sshd_config file, or create a new file in the /etc/ssh/sshd_config.d/ directory. Just remember to restart the ssh daemon each time you change anything on the config file with sudo systemctl restart sshd command.

3.1. Disable Root Login

The first step on hardening the sshd service is to limit the root user's access. Just simply replace this line or add it on the end of the configuration file.

PermitRootLogin no

3.2. Filter SSH Users

You can limit the login to a specific group. First create the group and add your desired users to it.

$ sudo groupadd ssh-users
$ sudo usermod -aG ssh-users [user]

And after that, add this line to the config file:

AllowGroups ssh-users

3.3. Change SSH Server Port

The best way to make your server more secure and prevent lots of bruteforce attacks is to change the ssh default port to something else.

Port 13202

And then you can simply connect to the server by ssh -p 13202 [user]@[host] command.

3.4. Disable X11 Forwarding

Enabling X11 Forwarding on the host can permit a non-permitted user to secretly open another X11 connection to another remote client during the session and perform malicious activities such as keystroke monitoring. By default this option is enabled, and you can disable it by adding this line:

X11Forwarding no

3.5. Disable User's Login With Empty Password

PermitEmptyPasswords no

3.6. Public Key Authentication

First create a key on your local machine.

ssh-keygen -a 64 -t ed25519 -C [comment]

Then copy the ssh public key to the server. In Linux you can run this command:

ssh-copy-id -i ~/.ssh/id_ed25519.pub [user]@[host]

In Windows systems you can run this command:

type .\.ssh\id_ed25519.pub | ssh [user]@[host] "mkdir -p /home/[user]/.ssh; chmod 700 /home/[user]/.ssh; cat >> /home/[user]/.ssh/authorized_keys; chmod 600 /home/[user]/.ssh/authorized_keys"

Replace [user] with your username on the server.

Then you can enable login with public key by adding this line to your config file.

PubkeyAuthentication yes