Best Steps To Secure SSH Server on Debian 12 Bookworm

By Posted on

Best Steps To Secure SSH Server on Debian 12 Bookworm

Best Steps To Secure SSH Server on Debian 12 Bookworm

In this guide, we want to show you how to Install and Secure SSH Server on Debian 12 Bookworm. As you know, SSH is used to access Linux Server in a secure mode. Most of the users use the default SSH settings to connect to their servers. This will cause some security issues. So we decided to show you how to Secure SSH Server on Debian 12 Bookworm.

How To Install and Secure SSH Server on Debian 12 Bookworm?

To set up a secure SSH server, you must have access to your server as a non-root user with sudo privileges and set up a basic firewall. For this purpose, you can visit this guide on Initial Server Setup with Debian 12 Bookworm.

Now proceed to the following steps to Install and Secure SSH Server on Debian 12 Bookworm.

Step 1 – Install SSH Server on Debian 12

First, you must run the system update with the following command:

sudo apt update

Then, use the command below to install the SSH server on Debian 12:

sudo apt install ssh -y

At this point, your SSH server must be enabled and activated on your system. To verify this, run the command below:

sudo systemctl status ssh
SSH server status Debian 12

Now proceed to the following step to Secure SSH Server on Debian 12 Bookworm.

Step 2 – Secure SSH Server Connection on Debian 12

There are so many different ways that you can increase your SSH server security. Here we want to show you some of them to Secure SSH Server on Debian 12 Bookworm.

1: Disable Root Login on SSH Server

One of the ways that you can Secure SSH Server on Debian 12 Bookworm is to disable the root logins. To do this, you must open your SSH Config Server file with your favorite text editor, here we use vi:

sudo vi /etc/ssh/sshd_config

Find the <mark>PermitRootLogin</mark> line and change its value to <mark>No</mark>:

PermitRootLogin no

When you are done, save and close the file.

Then, restart SSH to apply the changes:

sudo systemctl restart ssh

2: Change the Default SSH Server Port

To Secure SSH Server on Debian 12 Bookworm, it’s recommended to change the SSH default port on Debian 12.

Open the SSH Config file again with the command below:

sudo vi /etc/ssh/sshd_config

Find the <mark><strong>Port</strong></mark> line, and change it to your desired value, here we change it to 2222:

Port 2222

When you are done, save and close the file.

If you are using a firewall, you must allow it through the firewall rules:

sudo ufw allow 2222

Then, restart SSH to apply the changes:

sudo systemctl restart ssh

You can also use the “netstat” command to verify it:

netstat -tulpn | grep 2222
<mark>Output</mark>
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      3199/sshd: /usr/sbi
tcp6       0      0 :::2222                 :::*                    LISTEN      3199/sshd: /usr/sbi

Note: Be careful when you change your default SSH server port on Debian 12, you will have to specify it when connecting to it. You can easily connect to your SSH server by using the command below:

ssh -p <mark>port</mark> <mark>username</mark>@<mark>ip_address</mark>

3: Block Access For Users without Passwords

You may have users without passwords on your system. So you can block these users that cant access the SSH server. Again open the SSH config file:

sudo vi /etc/ssh/sshd_config

Find the <mark>PermitEmptyPasswords</mark> line and change its value to <mark>No</mark>:

PermitEmptyPasswords no

When you are done, save and close the file.

4: Limit SSH Login Attempts

By default, you can access your server so many password attempts. You can limit this option to prevent security issues. To do this, from your SSH config file, find the <mark>MaxAuthTries</mark> line and change its value to your desired number of attempts. For example:

MaxAuthTries 3

5: Enable SSH Server Version 2

At this point, you can use SSH version 2 which is designed to improve the security.

To enable the second version of the SSH server on Debian 12, you can add the following Protocol line to the SSH config file as shown below:

Include /etc/ssh/sshd_config.d/*.conf

Protocol 2

Note: Remember every time you make changes to the file, you must restart your SSH server to apply the changes.

6: Connect to your Server by Using SSH Key Pairs

One of the best secure ways that you can connect to your server is to use the SSH keys. SSH key pairs are two cryptographically secure keys that can be used to authenticate a client to an SSH server. With this option, you can easily connect to your server without using passwords. To do this, you must generate the SSH key pairs.

For complete information, you can visit this guide on Generating SSH key pairs in Linux.

Conclusion

SSH security is one of the ways to protect your connection servers. At this point, you have learned to Install and Secure SSH Server on Debian 12 Bookworm by using some tips that we said in the guide. Securing your SSH server is crucial for the overall security posture of your Debian 12 system.

Hope you enjoy it. You may also interested in these articles:

How To Change SSH Port on Debian

Enable and Configure SSH on Ubuntu 22.04

How to Fix The “Connection reset by peer” SSH Error

Alternative Solutions to Secure SSH Server on Debian 12 Bookworm

While the above methods offer a strong foundation for securing your SSH server, there are other approaches you can take to further enhance security. Here are two alternative solutions:

1. Using Fail2ban to Prevent Brute-Force Attacks

Fail2ban is a powerful intrusion prevention software framework that monitors log files for malicious activity, such as excessive failed login attempts. When Fail2ban detects suspicious behavior, it automatically updates firewall rules to block the offending IP address for a specified period. This makes it an excellent tool for mitigating brute-force attacks against your SSH server.

Installation and Configuration:

  1. Install Fail2ban:

    sudo apt install fail2ban

  2. Configure Fail2ban for SSH:

    Fail2ban comes with a default configuration file for SSH, but it’s recommended to create a local override to avoid losing your changes during package upgrades.

    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

  3. Edit the jail.local file:

    Locate the [sshd] section and modify the following parameters:

    • enabled = true (Enable the SSH jail)
    • port = ssh (or the port you’ve configured SSH to use)
    • logpath = /var/log/auth.log (Path to the SSH log file)
    • bantime = 3600 (Ban the IP address for 1 hour – adjust as needed)
    • findtime = 600 (Time window to consider login attempts, in seconds)
    • maxretry = 3 (Number of failed login attempts before banning)

    Example configuration:

    [sshd]
enabled  = true
port     = 2222
logpath  = /var/log/auth.log
bantime  = 3600
findtime = 600
maxretry = 3

  4. Restart Fail2ban:

    sudo systemctl restart fail2ban

Fail2ban will now automatically monitor your SSH logs and ban IP addresses that exhibit suspicious login behavior, adding an extra layer of security against brute-force attacks. Securing SSH Server on Debian 12 Bookworm is made easier using this method.

2. Implementing Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds an extra layer of security by requiring users to provide two independent factors to verify their identity. In addition to their password, users typically need to enter a code generated by an app on their smartphone or a hardware token. This makes it significantly more difficult for attackers to gain access to your SSH server, even if they manage to compromise a user’s password.

Implementation using Google Authenticator:

  1. Install Google Authenticator PAM module:

    sudo apt install libpam-google-authenticator

  2. Configure SSH to use PAM:

    Edit the /etc/pam.d/sshd file:

    sudo nano /etc/pam.d/sshd

    Add the following line at the beginning of the file:

    auth required pam_google_authenticator.so nullok

    The nullok option allows users without 2FA enabled to still log in using only their password. Remove this option to require 2FA for all users.

  3. Configure SSH to use password authentication with PAM:

    Ensure that ChallengeResponseAuthentication is set to yes and UsePAM is also set to yes in /etc/ssh/sshd_config.

    sudo nano /etc/ssh/sshd_config

    Find and modify the lines:

    ChallengeResponseAuthentication yes
UsePAM yes

  4. Disable password authentication for root (optional, but recommended):
    This setting should already be no if you followed the prior steps to secure SSH.

  5. Restart SSH:

    sudo systemctl restart ssh

  6. Configure Google Authenticator for each user:

    Each user who wants to use 2FA needs to run the following command:

    google-authenticator

    Follow the prompts to generate a secret key and configure the Google Authenticator app on their smartphone. The command will display a QR code that the user can scan with the Google Authenticator app. It will also provide emergency scratch codes that can be used if the user loses access to their phone.

Important Considerations:

  • Emergency Access: Make sure to securely store the emergency scratch codes generated by google-authenticator. These codes are essential for regaining access to the server if the user loses their phone or the Google Authenticator app.
  • User Training: Educate users on how to use Google Authenticator and the importance of keeping their secret key and scratch codes safe.

By implementing 2FA, you significantly reduce the risk of unauthorized access to your SSH server, even if an attacker manages to obtain a user’s password. This is a vital step in securing SSH Server on Debian 12 Bookworm. These additional steps will help you further protect your server.

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *