Securing SSH Connections: Key-Based Authentication and SSH Security Configuration

Securing SSH (Secure Shell) connections is critical when managing remote servers or accessing your Ubuntu system remotely. By default, SSH allows password-based authentication, which can be vulnerable to brute-force attacks and unauthorized access. In this detailed guide, we'll explore how to enhance SSH security by setting up key-based authentication and configuring other security measures such as disabling root login, changing the default port, and enforcing stronger protocols.

1. What is SSH?

SSH (Secure Shell) is a cryptographic network protocol that allows users to securely connect to remote servers. It encrypts traffic between the client and server, providing a secure way to execute commands, transfer files, and manage systems remotely. SSH is widely used by system administrators, developers, and anyone managing Linux-based servers.

However, using default SSH settings poses security risks, such as brute-force attacks, where attackers try different combinations of usernames and passwords to gain unauthorized access. To mitigate these risks, we need to enhance the security of SSH connections by using key-based authentication and tweaking various SSH configuration settings.

2. Key-Based Authentication

What is Key-Based Authentication?

Key-based authentication is a more secure alternative to password-based authentication. Instead of relying on a password, key-based authentication uses a pair of cryptographic keys (a public key and a private key) to verify the user's identity. The public key is stored on the server, while the private key is stored securely on the user's machine. During the SSH login process, the server and client exchange the keys to authenticate the connection.

Key-based authentication greatly enhances security since attackers cannot gain access simply by guessing passwords. They would need the private key, which is typically protected by a passphrase.

Generating SSH Key Pairs

The first step in setting up key-based authentication is to generate a pair of SSH keys on your local machine. Here's how you can do it:

• Open a terminal on your local machine.
• Run the following command to generate a new SSH key pair:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Let's break down this command:

• -t rsa: Specifies the type of key (RSA).
• -b 4096: Specifies the key length (4096 bits for stronger encryption).
• -C "your_email@example.com": Adds a comment with your email address for identification.
• You'll be prompted to choose a location to save the key. Press Enter to accept the default location (~/.ssh/id_rsa).
• Next, you'll be asked to enter a passphrase. It is highly recommended to use a strong passphrase to protect the private key. You can leave it blank, but that will reduce security.

Once the key pair is generated, your public key will be saved as id_rsa.pub and your private key as id_rsa.

Copying the Public Key to the Server

Now that you have generated your key pair, you need to copy the public key to the server you want to access via SSH. The simplest way to do this is by using the ssh-copy-id command:

ssh-copy-id username@remote_server_ip

This command copies your public key (id_rsa.pub) to the ~/.ssh/authorized_keys file on the remote server.

If you cannot use ssh-copy-id, you can manually copy the public key using the following method:

1. On your local machine, display the contents of your public key:

cat ~/.ssh/id_rsa.pub

1. Copy the output of the command.
2. On the remote server, log in via SSH using your password, and then edit the ~/.ssh/authorized_keys file:

nano ~/.ssh/authorized_keys

3. Paste the contents of your public key into the file and save it.

Now, you should be able to log in to the server without a password:

ssh username@remote_server_ip

Disabling Password Authentication

After successfully setting up key-based authentication, it's a good security practice to disable password-based authentication entirely. This prevents attackers from attempting brute-force attacks on your SSH server.

To disable password authentication:

1. Open the SSH configuration file on your server:

sudo nano /etc/ssh/sshd_config

1. Find the following line (or add it if it doesn’t exist):

PasswordAuthentication no

1. Save the file and restart the SSH service:

sudo systemctl restart ssh

This change ensures that only key-based authentication is allowed, further securing your SSH connections.

3. Additional SSH Security Configurations

Changing the Default SSH Port

By default, SSH listens on port 22, which is well-known and often targeted by attackers. Changing the SSH port to a non-standard port can help reduce the number of automated attacks.

To change the SSH port:

1. Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

2. Find the Port 22 line and change it to a different port number (e.g., 2222):

Port 2222

3. Save the file and restart SSH:

sudo systemctl restart ssh

Make sure to update your firewall settings to allow traffic on the new port:

sudo ufw allow 2222/tcp

Disabling Root Login

Allowing root login over SSH poses a significant security risk. Attackers can target the root account, which has full system privileges. It’s recommended to disable root login and instead use a non-privileged user with sudo access.

To disable root login:

1. Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

2. Find and set the following option:

PermitRootLogin no

3. Save the file and restart SSH:

sudo systemctl restart ssh

Enforcing Protocol 2

SSH supports two protocols: SSH-1 and SSH-2. SSH-1 is outdated and less secure, so you should ensure that your server only uses SSH-2.

To enforce SSH-2:

1. Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

2. Find the following line (or add it if it’s not there):

Protocol 2

3. Save the file and restart SSH:

sudo systemctl restart ssh

Limiting User Access

You can restrict which users are allowed to log in via SSH by editing the AllowUsers or AllowGroups directives in the SSH configuration file.

For example, to allow only specific users to connect via SSH:

AllowUsers username1 username2

Or, to allow only members of a specific group:

AllowGroups sshusers

Add this to the /etc/ssh/sshd_config file and restart SSH to apply the changes.

Enabling Fail2Ban for SSH

As a final layer of protection, you can use Fail2Ban to block IP addresses that exhibit suspicious behavior, such as multiple failed login attempts. Fail2Ban can help mitigate brute-force attacks by temporarily banning IPs after a certain number of failed attempts.

To set up Fail2Ban for SSH:

1. Install Fail2Ban:

sudo apt install fail2ban

2. Create or edit the Fail2Ban configuration file for SSH:

sudo nano /etc/fail2ban/jail.local

3. Add the following lines:

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 600

4. Save the file and restart Fail2Ban:

sudo systemctl restart fail2ban

Now, Fail2Ban will monitor your SSH logs and ban IP addresses that make too many failed login attempts.

Conclusion

Securing your SSH connections is essential for protecting your Ubuntu system from unauthorized access and brute-force attacks. By setting up key-based authentication, disabling password authentication, changing the default port, and implementing other security measures such as disabling root login and using Fail2Ban, you can significantly enhance the security of your SSH service.

These steps are easy to implement and provide a solid foundation for SSH security. With these configurations in place, you can confidently manage your servers knowing that your SSH connections are more secure.