Securing SSH on Ubuntu: Essential Configurations for Enhanced Protection

In today’s cybersecurity landscape, properly configuring SSH is crucial. This guide focuses on hardening SSH on Ubuntu systems.

## SSH Configuration File Location

The SSH server configuration file in Ubuntu is located at:

/etc/ssh/sshd_config

## Key Security Parameters

### 1. Port Configuration

Port 22
Port 20000

- **Port 22**: Reserved for internal subnet access in the cloud, ideal for bastion host connections.
- **Port 20000**: Exposed to the internet for external SSH access. Using a non-standard port reduces automated attacks targeting the default SSH port.

### 2. Authentication Methods

PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no

- **PasswordAuthentication no**: Disables password-based authentication, mitigating brute-force attacks.
- **PubkeyAuthentication yes**: Enables public key authentication, providing a more secure method of access.
- **PermitRootLogin no**: Prevents direct root login, significantly enhancing system security.

### 3. Connection Limits

MaxSessions 10
MaxStartups 2:50:3

- **MaxSessions 10**: Limits the number of concurrent SSH sessions, preventing resource exhaustion.
- **MaxStartups 2:50:3**: Implements a “slow start” algorithm for connection attempts, helping to mitigate potential DDoS attacks.

### 4. User Access Control

AllowUsers user1 user2

- **AllowUsers**: Restricts SSH access to specified users only, reducing the attack surface. user1 for access from external, user2 is the bastion access within cloud subnet.

## Implementation Steps

1. Open the SSH configuration file:
`sudo nano /etc/ssh/sshd_config`

2. Add or modify the parameters as shown above.

3. Save the file and exit the editor.

4. Restart the SSH service:
`sudo systemctl restart sshd`

5. Test the new configuration from a separate session to ensure you haven’t accidentally locked yourself out.

## Conclusion

These configurations significantly enhance your SSH server’s security posture while maintaining necessary access for authorized users. Regular review and updates of your SSH configuration are recommended as part of ongoing security maintenance.