How do I improve my OpenSSH security on my node?


OpenSSH is a very useful tool for remote Linux administration by Stake Pool Operators. However, it's also a very popular attack vector for outside threats.

This answer is based on LearnLinuxTV's video on 3 Important Tweaks for Improving OpenSSH Security on Your Cloud Instance:

To demonstrate why we would want to harden the ssh on our server all we need to do is check the multiple attempts various third-party actors run to break into the server. To check a log of the attempts to break in all you need to do is execute the following command after logging into your server:

sudo cat /var/log/auth.log |grep root

It is unlikely that your server will have no failed attempted logins by third-party actors who may be deliberately or inadvertently trying to login to your server. Usually as the root user.

How do go about securing our server?

Step 1 - SSH with root login

SSH into your server as the root user:

Or log in without an ssh client via the browser console provided by your VPS if you cannot access this publicly. Please check your VPS provider's FAQ or help section on how to log in as the root user their way.

ssh root@your_server_ip_address

Step 2 - Add a New User and Check Permissions

We need to create a new system user with admin privileges to avoid having the problem of logging yourself as root user during your setup.

This step can be followed at this link (an answer already made on this site):

Step 3 - Add ssh Key to Your New User

If you are still logged in as root switch over to the new user you created:

su - johnny

Remember to substitute johnny for whatever name you used as the new user on your system.

Let's check what files and folders (including hidden ones) reside in our home directory

cd ~
ls -al

It is most likely after creating your new user that there will not be a .ssh directory. This directory is the folder that will hold our ssh keys in a specific file called "authorized_keys". We create the directory and edit the authorized_keys file.

mkdir .ssh
cd .ssh
nano authorized_keys

Now, copy-paste your SSH key into the file and CTRL+O to write the file out and CTRL + X to close the file.

Step 4 - Disable root User Login

sudo nano /etc/ssh/sshd_config

This file will open with various parameters for our SSH configuration. One of them includes the "PermitRootLogin" parameter. We want to change that parameter from "yes" to "no".


#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

#Port 22
#AddressFamily any
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10


Change the parameter to look like this

PermitRootLogin no

For this change to take effect you need to restart the ssh service

sudo systemctl restart ssh

Then check the ssh status

sudo systemctl status ssh

Step 5 - Disable Password Authentification

Make sure you have verified that you can log in using ssh authentication before continuing on this step!

sudo nano /etc/ssh/sshd_config

Change the parameter #PasswordAuthentication yes to this PasswordAuthentication no. Remember to remove the "#" hash prepend and change "yes" to "no".

Close the file and then restart ssh again.

sudo systemctl restart ssh

Step 6 - Change SSH Port from 22 to Another Port Number

sudo nano /etc/ssh/sshd_config 			#change ssh port 22 to something else
sudo systemctl restart ssh
sudo systemctl status ssh

For example, change the parameter from #Port 22 to Port 9509.
Remember to remove the "#" hash prepend when editing this parameter!

You can check that the port is correctly configured:

sudo netstat -tulpn |grep ssh

If netstat does not work you can install it using this command:

sudo apt install net-tools

If you are interested, you also check all ports that are open on your server using this command:

sudo netstat -tulpn

Step 7 - Optional step. Restrict Users on System

sudo nano /etc/ssh/sshd_config 			#change AllowUsers to include the usernames you restrict to log on

Edit sshd_config to include a line that restricts which users can log on. For example: AllowUsers johnny

sudo systemctl restart ssh
sudo systemctl status ssh

Be careful with this step as if you mistype the allowed users you will be locked out of your server definitively!

You can always check to see what has been going on regarding the login sessions on your server using this command

sudo cat /var/log/auth.log


This answer was published on 02 February 2021