Introduction
After installing OpenSSH, there are extra steps that can improve the SSH security of your Rcs Arch Linux server. Consider following these best practices.
Disable Root Login
Allowing the root account to connect via SSH is a poor security practice. It's preferred to connecting with a non-root account and use sudo
to temporarily gain root privileges.
Create a sudo user. If there is not already a user account with sudo access, follow the steps in this guide to create one.
To disable root login, open the file
/etc/ssh/sshd_config
in a text editor, and find the following line:#PermitRootLogin prohibit-password
Enable the directive by removing the # at the beginning of the line.
Change prohibit-password to no to disable root logins via SSH. The line should now look like this:
PermitRootLogin no
Restrict Which Users Can Use SSH
If some system accounts should not access the server remotely, set an allow list of users and groups that may connect via SSH.
Edit
/etc/ssh/sshd_config
$ nano /etc/ssh/sshd_config
To allow specific users SSH access, add a line like:
AllowUsers example_user1 example_user2
To allow user groups SSH access, add a line like:
AllowGroups example_group1 example_group2
Specify any number of users or groups separated by spaces.
Change the SSH Port
Change the default SSH port (22) to any unused port greater than 1024.
Edit
/etc/ssh/sshd_config
$ nano /etc/ssh/sshd_config
Find this line:
Port 22
If the line is commented out with #, remove the # symbol.
Choose any unused port greater than 1024. For example:
Port 2222
SSH can listen on multiple ports if you add more Port lines with one port number per line.
Use SSH Keys
We recommend using an SSH key instead of a password to authenticate. It is also usually more convenient.
Generate a Key Pair
If you do not already have an SSH key pair, create one by following the guide, How Do I Generate SSH Keys?
Locate your public key to complete the following steps.
Enable SSH Key Login
Edit
/etc/ssh/sshd_config
$ nano /etc/ssh/sshd_config
Find this line:
#PubkeyAuthentication yes
If the line is commented out with #, remove the # symbol.
Copy the Public Key to the Server
To log in with an SSH key, the user must place their public key in their ~/.ssh/authorized_keys
file. Use one of the following methods:
Method 1: Copy the Key with ssh-copy-id
If your local machine has OpenSSH installed, and your public key is in ~/.ssh/id_rsa.pub
(the default location), send your key to the server with the following command:
$ ssh-copy-id username@YOUR-SERVER-IP
Method 2: Manually Add the Key
- In the server user's home directory, create the file
~/.ssh/authorized_keys
if it does not already exist. - Paste the public key into the file.
Disable Password Login
After enabling SSH key authentication, it a best practice to disable password authentication. Make sure you've tested SSH key login first. If your SSH key doesn't work, and you disable password login, you'll lose SSH access.
Edit
/etc/ssh/sshd_config
$ nano /etc/ssh/sshd_config
Find this line:
#PasswordAuthentication yes
If the line is commented out with #, remove the # symbol.
Replace yes with *no**.
The line should look like this when finished.
PasswordAuthentication no
Test the SSH Configuration File
After modifying the SSH configuration of your Rcs server, it's a best practice to verify there are no syntax errors in the file. This ensures that OpenSSH starts without problems.
Run the following command as root to test the configuration file:
# sshd -t
If there is no output, the configuration file is valid. Otherwise, fix the specified errors before continuing.
Restart OpenSSH
After all configuration files changes are complete and validated, restart OpenSSH to apply the new configuration.
Run the following command as root:
# systemctl restart sshd.service