How to Harden SSH Security in Debian 12 Bookworm

This guide covers best practices to harden SSH security on Debian 12 Bookworm.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  3 minute read  

Secure Shell (SSH) is a fundamental tool for managing remote systems securely. However, if left with default settings, SSH can become a target for attackers. Hardening SSH security is crucial for protecting Debian 12 Bookworm servers from brute-force attacks, unauthorized access, and other threats.

This guide covers best practices to harden SSH security on Debian 12 Bookworm. By following these steps, you can enhance the security of your remote connections and reduce potential vulnerabilities.

1. Update Your System

Before making any modifications, ensure your Debian 12 system is up to date:

sudo apt update && sudo apt upgrade -y

This ensures you have the latest security patches and updates installed.

2. Disable Root Login

Allowing direct root login via SSH is a security risk. Instead, use a non-root user with sudo privileges.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find the following line:

PermitRootLogin yes

Change it to:

PermitRootLogin no

Save and exit, then restart SSH:

sudo systemctl restart ssh

3. Change the Default SSH Port

Attackers commonly scan port 22 for SSH. Changing the default port adds an extra layer of security.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find the following line:

#Port 22

Uncomment it and change it to a non-standard port (e.g., 2222):

Port 2222

Restart SSH:

sudo systemctl restart ssh

Make sure to adjust your firewall settings to allow traffic on the new port:

sudo ufw allow 2222/tcp
sudo ufw reload

4. Use SSH Key-Based Authentication

Password authentication is vulnerable to brute-force attacks. Switching to key-based authentication enhances security.

Generate an SSH Key Pair

On your local machine, generate a key pair:

ssh-keygen -t ed25519 -C "your_email@example.com"

This creates two files:

  • id_ed25519 (private key)
  • id_ed25519.pub (public key)

Copy the public key to the remote server:

ssh-copy-id -p 2222 username@your-server-ip

Alternatively, manually copy and append the key to ~/.ssh/authorized_keys.

5. Disable Password Authentication

Once SSH key authentication is set up, disable password authentication.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Set the following:

PasswordAuthentication no

Restart SSH:

sudo systemctl restart ssh

6. Enable SSH Connection Limits

To prevent brute-force attacks, configure connection limits using fail2ban.

Install fail2ban

sudo apt install fail2ban -y

Configure fail2ban for SSH

Create a new jail file:

sudo nano /etc/fail2ban/jail.local

Add the following configuration:

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 600

Restart fail2ban:

sudo systemctl restart fail2ban

7. Enable Two-Factor Authentication (2FA)

For added security, enable 2FA using libpam-google-authenticator.

Install the Google Authenticator PAM module

sudo apt install libpam-google-authenticator -y

Run the setup tool:

google-authenticator

Answer the prompts and save the QR code or secret key.

Edit /etc/pam.d/sshd and add:

auth required pam_google_authenticator.so

Edit /etc/ssh/sshd_config and set:

ChallengeResponseAuthentication yes

Restart SSH:

sudo systemctl restart ssh

Now, SSH will require a verification code in addition to your key.

8. Configure Firewall Rules

Use ufw to allow SSH traffic only from trusted IPs.

Allow access from a specific IP

sudo ufw allow from 192.168.1.100 to any port 2222

Deny all other SSH connections

sudo ufw deny 22

Reload ufw:

sudo ufw reload

9. Monitor SSH Logs

Regularly monitor SSH logs for suspicious activity:

tail -f /var/log/auth.log

Look for repeated failed login attempts and unauthorized access.

10. Set Idle Timeout

To automatically disconnect idle SSH sessions, configure an idle timeout.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Set:

ClientAliveInterval 300
ClientAliveCountMax 0

Restart SSH:

sudo systemctl restart ssh

Conclusion

By implementing these steps, you can significantly enhance SSH security on your Debian 12 Bookworm system. Regular monitoring, updates, and following security best practices will help safeguard your system against unauthorized access and potential threats.

Stay proactive in securing your server, and always test configurations before applying them to production environments.


< How to Enable and Configure AppArmor on Debian 12 BookwormHow to Disable Root Login Over SSH in Debian 12 Bookworm >