Оффлайн
- Регистрация
- 1 Мар 2015
- Сообщения
- 1,481
- Баллы
- 155
Table Of Content
Introduction
terday, I talked about how Linux is secure by design but only if you take action. Today, I’m locking down one of the most important services on any Linux system:
Why SSH Needs Protection
By default, SSH can:
This is convenient, but it also makes your system predictable and vulnerable.
1. Disable Root Login
Why?
Allowing root to log in remotely is risky if someone cracks the password, they get full control instantly.
How:
sudo nano /etc/ssh/sshd_config
PermitRootLogin no
sudo systemctl restart ssh
Now, root cannot log in via SSH.
2. Change the Default SSH Port
Why?
Bots scan port 22 constantly. Moving SSH to a non-standard port reduces noise and avoids low effort attacks.
How:
sudo nano /etc/ssh/sshd_config
Port 2222
(Pick any unused port between 1024 and 65535)
sudo ufw allow 2222/tcp
sudo systemctl restart ssh
You’ll now connect like this:
ssh -p 2222 user@your-server
3. Set Up Key-Based Authentication
Why?
SSH keys are far more secure than passwords and resistant to brute-force attacks.
? Step-by-Step:
** On Your Local Machine (Client):**
ssh-keygen -t rsa -b 4096
ssh-copy-id user@your-server -p 2222
sudo nano /etc/ssh/sshd_config
PubkeyAuthentication yes
PasswordAuthentication no
sudo systemctl restart ssh
Now, only systems with your private key can log in.
Bonus: Test Before Locking Yourself Out
Always open a second terminal and test your changes before closing your current SSH session. That way, if anything breaks, you're still connected and can fix it.
Summary What I Learned Today
Result: My Linux SSH access is now much harder to exploit.
I would love to hear your thoughts, experiences, or tips about Linux!
Feel free to share in the comments and join the conversation.
Connect with me on !
#30DaysLinuxChallenge #CloudWhistler #RedHat #Cloudsecurity #DevOps #Linux #OpenSource #CloudComputing #RedHatEnterpriseLinux #SystemLogs #EnterpriseIT #Observability #Logging #SysAdmin #Automation #CloudEngineer #TechForBusiness #ITSupport #SRE #CloudOps
- Introduction
- Why SSH Needs Protection
- Disable Root Login
- Change the Default SSH Port
- Set Up Key-Based Authentication
- Summary What I Learned Today
Introduction
terday, I talked about how Linux is secure by design but only if you take action. Today, I’m locking down one of the most important services on any Linux system:If SSH is exposed and misconfigured, it becomes a high-value target for brute-force attacks and exploits. So let’s secure it step-by-step.
Why SSH Needs Protection
By default, SSH can:
- Allow root login
- Use password authentication
- Run on the default port (22)
This is convenient, but it also makes your system predictable and vulnerable.
1. Disable Root Login
Why?
Allowing root to log in remotely is risky if someone cracks the password, they get full control instantly.
How:
- Open the SSH config file:
sudo nano /etc/ssh/sshd_config
- Find or add this line:
PermitRootLogin no
- Save and restart SSH:
sudo systemctl restart ssh
Now, root cannot log in via SSH.
2. Change the Default SSH Port
Why?
Bots scan port 22 constantly. Moving SSH to a non-standard port reduces noise and avoids low effort attacks.
How:
- Edit the SSH config again:
sudo nano /etc/ssh/sshd_config
- Change the port:
Port 2222
(Pick any unused port between 1024 and 65535)
- Allow the new port in the firewall:
sudo ufw allow 2222/tcp
- Restart SSH:
sudo systemctl restart ssh
You’ll now connect like this:ssh -p 2222 user@your-server
3. Set Up Key-Based Authentication
Why?
SSH keys are far more secure than passwords and resistant to brute-force attacks.
? Step-by-Step:
** On Your Local Machine (Client):**
- Generate a key pair:
ssh-keygen -t rsa -b 4096
- Copy the public key to the server:
ssh-copy-id user@your-server -p 2222
On Your Server:
- Edit the SSH config again:
sudo nano /etc/ssh/sshd_config
- Ensure these settings are enabled:
PubkeyAuthentication yes
PasswordAuthentication no
- Restart SSH:
sudo systemctl restart ssh
Now, only systems with your private key can log in.Bonus: Test Before Locking Yourself Out
Always open a second terminal and test your changes before closing your current SSH session. That way, if anything breaks, you're still connected and can fix it.
Summary What I Learned Today
- Remote root login is dangerous, I disabled it.
- Port 22 is predictable, I moved SSH to a safer port.
- Passwords can be brute forced, I switched to SSH keys.
- I always test SSH changes before restarting or disconnecting.
Result: My Linux SSH access is now much harder to exploit.
I would love to hear your thoughts, experiences, or tips about Linux!
Feel free to share in the comments and join the conversation.
Connect with me on !
#30DaysLinuxChallenge #CloudWhistler #RedHat #Cloudsecurity #DevOps #Linux #OpenSource #CloudComputing #RedHatEnterpriseLinux #SystemLogs #EnterpriseIT #Observability #Logging #SysAdmin #Automation #CloudEngineer #TechForBusiness #ITSupport #SRE #CloudOps