SSH and Access Control Hardening Secure Your Linux Server Like a Pro

SSH and Access Control Hardening: Secure Your Linux Server Like a Pro

by

Learn how to harden SSH and Access Control Hardening on Ubuntu and openSUSE Linux servers using proven commands, configuration examples, and outputs. Strengthen system security and compliance with best practices for SSH hardening.

Key advantages of Access Control Hardening:

  • 1. Enhanced Security
    • Reduces the risk of unauthorized access to critical systems, files, and services.
    • Limits potential attack vectors for cybercriminals or malicious insiders.
  • 2. Compliance with Regulations
    • Helps meet industry standards and regulatory requirements such as SOC 2, ISO 27001, GDPR, HIPAA.
    • Demonstrates due diligence in protecting sensitive data.
  • 3. Minimized Insider Threats
    • Proper access controls restrict employees or users to only what they need (principle of least privilege).
    • Reduces accidental or intentional misuse of sensitive data.
  • 4. Improved Audit and Monitoring
    • Hardening access controls enables better tracking of user activities and access logs.
    • Facilitates auditing, forensic investigations, and accountability.
  • 5. Reduced Attack Surface
    • By tightening access and removing unnecessary permissions, fewer potential entry points are available for attackers.
    • Protects against common attacks like privilege escalation, brute force, and lateral movement.
  • 6. Operational Efficiency
    • Ensures users have the correct permissions, reducing confusion and potential operational errors.
    • Simplifies user and role management across systems.
  • 7. Protection of Critical Assets
    • Secures intellectual property, customer data, and sensitive business information from exposure.
    • Ensures business continuity by safeguarding key resources.

Comprehensive Access Control Hardening Steps

1. Disable Root Login

Root login via SSH is one of the most targeted attack vectors. Disabling root access prevents attackers from brute-forcing the default “root” account.

Commands (Ubuntu & openSUSE):

sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart ssh
# For openSUSE:
sudo systemctl restart sshd

Verify:

grep PermitRootLogin /etc/ssh/sshd_config

Expected Output:

PermitRootLogin no

Explanation:

This ensures only non-root users can connect. Admins must log in with their personal accounts and use sudo for privileged operations.

2. Enforce Key-Based Authentication

Using SSH keys instead of passwords significantly enhances security and eliminates brute-force vulnerabilities.

Step 1: Generate SSH Key Pair (on Client):

ssh-keygen -t ed25519 -C "admin@server"

Step 2: Copy the Public Key to Server:

ssh-copy-id admin@yourserver.com

If ssh-copy-id is missing on openSUSE, install it:

sudo zypper install openssh

Step 3: Disable Password Authentication (on Server):

sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

Verify:

grep PasswordAuthentication /etc/ssh/sshd_config

Expected Output:

PasswordAuthentication no

Explanation:

SSH keys provide cryptographic login. Disabling passwords ensures no one can access the system using stolen or guessed credentials.

3. Restrict SSH Access to Specific Users or Groups

Allowing SSH access only to specific trusted users or groups limits exposure.

Command (Ubuntu):

echo "AllowUsers admin devops" | sudo tee -a /etc/ssh/sshd_config
sudo systemctl restart sshd

Alternative (openSUSE):

sudo echo "AllowGroups wheel sysadmin" >> /etc/ssh/sshd_config
sudo systemctl restart sshd

Explanation:

This ensures only selected accounts can connect via SSH. Perfect for production servers or SOC 2–controlled environments.

4. Change the Default SSH Port

Changing the SSH port reduces automated attacks targeting the default port 22.

Command:

sudo sed -i 's/^#Port.*/Port 2222/' /etc/ssh/sshd_config
sudo systemctl restart sshd

Verify:

sudo ss -tuln | grep 2222

Expected Output:

LISTEN 0 128 0.0.0.0:2222 0.0.0.0:*

Firewall Configuration:

For Ubuntu (UFW):

sudo ufw allow 2222/tcp
sudo ufw reload

For openSUSE (firewalld):

sudo firewall-cmd --add-port=2222/tcp --permanent
sudo firewall-cmd --reload

Explanation:

This won’t stop targeted attacks but helps reduce scanning noise and intrusion attempts.

5. Enable Two-Factor Authentication (2FA)

Adding 2FA provides an additional layer of protection using a one-time password (OTP).

Install Google Authenticator:

Ubuntu:

sudo apt install libpam-google-authenticator -y

openSUSE:

sudo zypper install google-authenticator-libpam

Configure OTP for User:

google-authenticator

Add the following line to /etc/pam.d/sshd:

auth required pam_google_authenticator.so

Edit /etc/ssh/sshd_config:

ChallengeResponseAuthentication yes

Restart SSH service:

sudo systemctl restart sshd

Explanation:

SSH now requires both a private key and a time-based OTP. This provides strong multi-factor authentication against stolen key attacks.

6. Protect Against Brute-Force Attacks with Fail2Ban

Fail2Ban monitors SSH logs and automatically bans IPs showing repeated failed attempts.

Install:

Ubuntu:

sudo apt install fail2ban -y

openSUSE:

sudo zypper install fail2ban
sudo systemctl enable fail2ban --now

Configuration:

Edit /etc/fail2ban/jail.local and add:

[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 1h
findtime = 10m

Verify Status:

sudo fail2ban-client status sshd

Sample Output:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
 - Banned IP list: 203.0.113.5

Explanation:

This automatically blocks IPs that repeatedly fail authentication, reducing brute-force activity significantly.

7. Set Idle Timeouts and Session Limits

Automatically disconnect idle or incomplete SSH sessions.

Commands:

sudo tee -a /etc/ssh/sshd_config > /dev/null <<EOF
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 60
EOF
sudo systemctl restart sshd

Explanation:

  • ClientAliveInterval: Disconnects idle users after 5 minutes.
  • LoginGraceTime: Cancels incomplete logins after 1 minute.

8. Audit SSH Logs Regularly

Monitoring SSH logs helps detect unusual activity and failed login attempts.

Commands:

For Ubuntu:

sudo tail -f /var/log/auth.log

For openSUSE:

sudo journalctl -u sshd -f

Example Log Output:

Oct 30 15:04:22 server sshd[1032]: Accepted publickey for admin from 192.168.1.20 port 53622 ssh2
Oct 30 15:10:41 server sshd[1040]: Failed password for invalid user test from 203.0.113.10 port 54422 ssh2

Explanation:

Review these logs frequently to identify repeated failed logins or suspicious source IPs.

9. SSH Hardening Checklist

MeasureVerification CommandExpected Result
Root Logingrep PermitRootLogin /etc/ssh/sshd_configno
Password Authgrep PasswordAuthentication /etc/ssh/sshd_configno
Allowed Usersgrep AllowUsers /etc/ssh/sshd_configList of authorized users
Custom Portss -tulngrep 2222
2FAgrep google_authenticator /etc/pam.d/sshdEnabled
Fail2Banfail2ban-client status sshdActive
Idle Timeoutgrep ClientAliveInterval /etc/ssh/sshd_config300

Conclusion

Hardening SSH access is one of the most critical steps for protecting Linux systems.
By implementing the above configurations across Ubuntu and openSUSE servers, you:

  • Reduce your attack surface against brute-force and credential attacks
  • Achieve better compliance with SOC 2 and ISO 27001 standards
  • Improve operational resilience through strong access control

Leave a Comment