5 Best OpenSSH Server Best Security Practices

SSH (Secure Shell) is an open-source network protocol that is used to connect local or remote Linux servers to transfer files, make remote backups, remote command execution, and other network-related tasks via scp command or sftp command between two servers that connect on a secure channel over the network.

In this article, I will show you some simple tools and tricks that will help you to tighten your ssh server security. Here you will find some useful information on how to secure and prevent ssh servers from brute force and dictionary attacks.

1. DenyHosts

DenyHosts is an open-source log-based intrusion prevention security script for SSH servers that was written in a python programming language that is intended to be run by Linux system administrators and users to monitor and analyze SSH server access logs for failed login attempts knows as dictionary-based attacks and brute force attacks.

The script works by banning IP addresses after a set number of failed login attempts and also prevent such attacks from gaining access to the server.

DenyHosts Features
  • Keeps track of /var/log/secure to find all successful and failed login attempts and filters them.
  • Keeps eye on all failed login attempts by the user and offending host.
  • Keeps watching on each existing and non-existent user (eg. xyz) when a failed login attempts.
  • Keeps track of each offending user, host, and suspicious login attempts (If a number of login failures) bans that host IP address by adding an entry in /etc/hosts.deny file.
  • Optionally sends an email notification of newly blocked hosts and suspicious logins.
  • Also maintains all valid and invalid failed user login attempts in separate files so that it makes it easy for identifying which valid or invalid user is under attack. So, that we can delete that account or change the password, or disable shell for that user.

[ You might also like: How to Block SSH Brute Force Attacks Using DenyHosts ]

2. Fail2Ban

Fail2ban is one of the most popular open-source intrusion detection/prevention frameworks written in a python programming language. It operates by scanning log files such as /var/log/secure, /var/log/auth.log, /var/log/pwdfail etc. for too many failed login attempts.

Fail2ban is used to update Netfilter/iptables or TCP Wrapper’s hosts.deny file, to reject an attacker’s IP address for a set amount of time. It also has the ability to unban a blocked IP address for a certain period of time set by administrators. However, a certain minute of unbanning is more than enough to stop such malicious attacks.

Fail2Ban Features
  • Multi-threaded and Highly configurable.
  • Support for log files rotation and can handle multiple services like (sshd, vsftpd, apache, etc).
  • Monitors log files and look for known and unknown patterns.
  • Uses Netfilter/Iptables and TCP Wrapper (/etc/hosts.deny) table to ban attackers IP.
  • Runs scripts when a given pattern has been identified for the same IP address more than X times.

[ You might also like: How to Use Fail2ban to Secure Your Linux Server ]

3. Disable Root Login

By default Linux systems are pre-configured to allow ssh remote logins for everyone including the root user itself, which allows everyone to directly log in to the system and gain root access. Despite the fact that ssh server allows a more secure way to disable or enable root logins, it’s always a good idea to disable root access, keeping servers a bit more secure.

There are so many people trying to brute force root accounts via SSH attacks by simply supplying different account names and passwords, one after another. If you are a system administrator, you can check ssh server logs, where you will find a number of failed login attempts. The main reason behind a number of failed login attempts is having weak enough passwords and that makes sense for hackers/attackers to try.

If you are having strong passwords, then you’re probably safe, however, it’s better to disable root login and have a regular separate account to log into, and then use sudo or su to gain root access whenever required.

[ You might also like: How to Disable SSH Root Login and Limit SSH Access in Linux ]

4. Display SSH Banner

This is one of the oldest features available from the beginning of the ssh project, but I’ve hardly seen it is used by anyone. Anyway, I feel it’s an important and very useful feature that I’ve used for all my Linux servers.

This is not for any security purpose, but the greatest benefit of this banner is that it is used to display ssh warning messages to UN-authorized access and welcome messages to authorized users before the password prompt and after the user logged in.

[ You might also like: How to Protect SSH Logins with SSH & MOTD Banner Messages ]

5. SSH Passwordless Login

An SSH Password-less login with SSH keygen will establish a trust relationship between two Linux servers which makes file transfer and synchronization much easier.

This is very useful if you are dealing with remote automated backups, remote scripting execution, file transfer, remote script management, etc without entering the password each time.

[ You might also like: How to Setup SSH Passwordless Login in Linux [3 Easy Steps] ]

To further secure your SSH server, read our article on How to Secure and Harden OpenSSH Server

Ravi Saive
I am an experienced GNU/Linux expert and a full-stack software developer with over a decade in the field of Linux and Open Source technologies

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

21 thoughts on “5 Best OpenSSH Server Best Security Practices”

  1. Reads:

    “This is very useful if you are dealing with remote automated backups, remote scripting execution, file transfer, remote script management, etc without entering the password each time.”

    See quoted para: it has a typo and a grammatical error.
    Should read … “without entering a password each time.”

    Reply
  2. Great Practice, Thanks for Guiding. Cloudways is also integrated Whitelist IP in their Platform. It automatically block bot login attempts.

    Reply
  3. While this won’t stop malicious users, it’s advised to put in place. An instructor from a Cisco training that I was in attendance of stated that there have been multiple instances where a “hacker” has gotten off free for their crimes due to the fact that there was nothing anywhere on the server stating that the “hacker” or anybody else for that matter, were not allowed to access the server.

    Sure, they’re still going to get access if they want it, but it holds up a lot better in the Judicial system. Every since hearing that, I have set banners and MOTD on every server that I am in charge of because why not? They take just a few seconds to copy and paste in, and could save you some trouble when it comes to court proceeding… then again, I deal with customers who have A LOT to lose.

    Reply
  4. “4. Display SSH Banner” — huh?
    I guess you think putting a sign on your car that says “it is illegal to steal me” will stop auto-thieves too?
    As long as your at it, you might include the sentence “it is illegal to do things that are against the law” too. That’ll help!
    -RU

    Reply
  5. Hi Ravi – The site looks really fabulous as it answers almost all Linux queries, a very great job, special thanks to you and the team of yours.

    I am a new member who registered just 30 mins ago. I love Linux.

    Reply
  6. Adding Google’s “Google Authenticator” PAM module is a real bonus IMHO – you can use their free smartphone app to prompt for a one-time passcode in addition to your password if you attempt to log in without an RSA/DSA key – very useful if you’re connecting via an untrusted machine.

    Reply
  7. Displaying an SSH banner is unforgivably annoying and interferes with scp even in quiet mode forcing script writers to redirect the output of scp to /dev/null and therefore losing possible error reports that could otherwise have been sent to root.

    Reply
  8. Another good security tip is to run sshd on a non-standard port. See the “Port” option in /etc/sshdconfig. This will vastly cut down on login attempts by crackers.

    Reply
    • This is hardly any improvement. It will help you to get rid of script kiddies. If someone does portscan on the machine, it is the same as if you were running it on 22. Also this setting can confuse those who use ssh on daily basis.
      Besides, scripts kiddies can do portscans too.

      Reply
        • I don’t doubt that changing default port can reduce number of tries but completely eliminating attempts seems too strange to me.
          My point was, if someone targets your server and tries a little bit more than a quick blind attempt, it doesn’t really matter which port you are running ssh on.

          Reply
          • That’s true, but every bit helps. A long time ago I had already done the items listed in this article to secure my ssh server.

Got something to say? Join the discussion.

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.