If you’re like me and still find value in using traditional servers over the trendy serverless options, securing your SSH access is key. Whether you’re maintaining a legacy system or running predictable workloads, keeping your SSH connections secure is crucial. Here’s how you can lock down your SSH servers in five straightforward steps.

1. Restrict SSH Access to a Private Network

First things first, don’t let SSH connections be accessible from just anywhere. Limit access to your server by allowing SSH connections only from a controlled IP range within a private network. This means anyone trying to connect must first be within your private network. You can configure this using tools like iptables or ufw on your server, or by adjusting the firewall settings on your hosting provider’s network interface.

2. Set Up a Bastion Server

Need to allow internet access while keeping security tight? Enter the bastion server. This acts as an intermediary SSH server that you can access from the internet but doesn’t store any sensitive data itself. It’s like your personal gateway, ensuring that only vetted traffic gets through.

3. Forward SSH Keys

Since your bastion server won’t hold any keys, set up SSH key forwarding. This allows you to securely connect from your local machine through the bastion to your target server. Here’s a quick setup:

• Edit your ~/.ssh/config to route through the bastion server and forward keys:

Host bastion-00
    HostName 192.168.0.11
    User logic
    ForwardAgent yes

Host swarm-11
    HostName 192.168.0.42
    User logic
    ForwardAgent yes
    ProxyCommand ssh -W %h:%p bastion-00

• Start the SSH agent and add your private key:

ssh-agent
ssh-add -k

Now, you can connect to your target server (swarm-11) via the bastion server (bastion-00) without storing private keys on the bastion. If your SSH public key isn’t already on the servers, copy it over using:

ssh-copy-id bastion-00
ssh-copy-id swarm-11

4. Use Key-Only Authentication

Ditch passwords for SSH access. Rely solely on key authentication to connect to your servers. To disable password authentication, update the SSH daemon configuration file (/etc/ssh/sshd_config) by setting:

PasswordAuthentication no

Then reload your SSH server. On systems using systemd, like Ubuntu, you can restart SSH with:

systemctl restart ssh

5. Disallow Root SSH Access

Keep root access via SSH off-limits. SSH connections should be made using non-root users, escalating privileges with su or sudo when necessary. Ensure this by setting:

PermitRootLogin no

in your SSH daemon configuration. This adds an extra layer of security, requiring strong password authentication for any privilege escalation.

A Few More Considerations

Before making changes to your SSH configuration, ensure you can still connect to your server. Test your connection after each change to avoid locking yourself out. With these steps, you’re set to keep your SSH servers secure and running smoothly.

By following these best practices, you’ll greatly enhance the security of your SSH servers, ensuring that only authorized users can access your systems. Happy securing!