Ubuntu SSH Hardening: Keys, Fail2ban, and Access Policies

Introduction

Secure Shell (SSH) is an essential protocol for secure remote access to Linux systems. However, its widespread use makes it a prime target for cyber attacks. Understanding how to harden your SSH configuration is critical to safeguarding your server from unauthorized access. SSH hardening involves employing various techniques to strengthen the security of SSH services, ensuring that only legitimate users can access your systems.

In this tutorial, we will explore several key concepts for SSH hardening on Ubuntu systems, including the use of public key authentication, the installation and configuration of Fail2ban to mitigate brute-force attacks, and the implementation of strict access policies. By following these practices, you can significantly enhance the security of your SSH environment, ensuring a safer and more resilient server setup.

Prerequisites

Ubuntu Version: This tutorial is applicable to Ubuntu 20.04 and later.
Required Packages: OpenSSH Server, Fail2ban
Permissions: Root or sudo access to the system.
Risks: Improper configuration can lock you out of your server; always ensure you have an alternative access method available.

Core Concepts

SSH (Secure Shell): A protocol used to securely connect to remote systems over a network.
sshd_config: The main configuration file for the OpenSSH server that defines how SSH operates.
PubkeyAuthentication: A method of authenticating users using cryptographic key pairs instead of passwords.
Fail2ban: A service that scans log files for malicious activity and bans IP addresses that show signs of abuse.
Ports: The network ports that SSH listens on (default is port 22).
Banner: A message displayed upon SSH login, which can serve both informational and security purposes.

Understanding these concepts is crucial for effectively implementing SSH hardening techniques.

Syntax/Commands

Command	Description
`sudo nano /etc/ssh/sshd_config`	Edit the SSH configuration file.
`sudo systemctl restart ssh`	Restart the SSH service to apply changes.
`ssh-keygen`	Generate a new SSH key pair.
`fail2ban-client status`	Check the status of Fail2ban.
`sudo ufw allow <port>`	Allow specific ports through the firewall.
`sudo service fail2ban restart`	Restart the Fail2ban service.

Practical Examples

1. Generating SSH Key Pairs

To begin hardening your SSH access, you should use public key authentication. Generate your SSH key pair with the following command:

ssh-keygen -t rsa -b 4096
# Press ENTER to accept the default file location
# Optionally, set a passphrase for added security

2. Copying Public Key to Server

Transfer the public key to the remote server using SSH:

ssh-copy-id username@remote_server_ip
# Replace username and remote_server_ip with your actual username and server IP.

3. Configuring sshd_config for Key Authentication

Edit the SSH configuration file to disable password authentication and enable public key authentication:

sudo nano /etc/ssh/sshd_config
# Set the following parameters:
PubkeyAuthentication yes
PasswordAuthentication no

4. Restarting the SSH Service

After making changes to sshd_config, restart the SSH service to apply them:

sudo systemctl restart ssh

5. Installing Fail2ban

Install Fail2ban to protect against brute-force attacks:

sudo apt update
sudo apt install fail2ban

6. Configuring Fail2ban

Create a local configuration file to customize Fail2ban settings:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
# Enable the SSH jail by modifying the following:
[sshd]
enabled = true
maxretry = 3
bantime = 3600

7. Starting Fail2ban

Start and enable the Fail2ban service:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

8. Checking Fail2ban Status

Check the status of Fail2ban to ensure it is running:

fail2ban-client status

Real-World Scenarios

Scenario 1: Securing a Single Server

You have a single Ubuntu server that needs to be secured from unauthorized SSH access. By following the steps above, you can implement public key authentication and configure Fail2ban to monitor and ban IPs after multiple failed login attempts. This drastically reduces the risk of brute-force attacks.

Scenario 2: Managing Multiple Users

In an organization with multiple developers accessing a server, ensure that each user has their own SSH key pair. Set up separate user accounts and apply access policies through the sshd_config file. Limit user access by using the AllowUsers directive in sshd_config.

Scenario 3: Remote Work Environments

As remote work becomes prevalent, SSH is often used for secure connections to corporate servers. By implementing a custom SSH port, Fail2ban, and disabling password-based authentication, organizations can significantly lower the chances of unauthorized access, ensuring that sensitive corporate data remains secure.

Best Practices

Use Strong Key Length: Always generate SSH keys with at least 2048 bits; ideally, use 4096 bits for enhanced security. 🔒
Regularly Update Packages: Keep your system and packages up to date to protect against vulnerabilities. Run sudo apt upgrade regularly.
Implement Firewall Rules: Use ufw or iptables to restrict access to the SSH port only to known IP addresses. ⚠️
Change the Default SSH Port: Consider changing the default SSH port (22) to a less common port to reduce automated attacks. For example, set Port 2222 in sshd_config.
Use SSH Agent Forwarding Wisely: Be cautious when using agent forwarding; it can expose your keys if not handled correctly.

Common Errors

"Permission denied (publickey)": This error occurs when the server cannot find the public key.
- Cause: Public key not added to ~/.ssh/authorized_keys.
- Fix: Ensure the public key is correctly copied to the server.
"sshd: no host keys available": This indicates that the SSH server cannot find a host key.
- Cause: Host keys not generated or corrupted.
- Fix: Regenerate host keys using sudo ssh-keygen -A.
"Connection refused": This error means the SSH service is not listening on the expected port.
- Cause: SSH service not running or firewall blocking the port.
- Fix: Start the SSH service and check firewall rules.
"Too many authentication failures": This occurs when too many authentication methods fail.
- Cause: Using multiple identity files or keys.
- Fix: Specify the correct key with -i or reduce the number of keys loaded by the SSH agent.

Related Commands

Command	Description
`ssh`	Connect to a remote machine using SSH.
`scp`	Securely copy files between hosts.
`sftp`	Secure file transfer protocol over SSH.
`ssh-add`	Add private keys to the SSH agent.
`ssh-agent`	A program that holds private keys used for public key authentication.

Automation Script

Here’s a complete Bash script to automate the SSH hardening process:

#!/bin/bash

# SSH Hardening Script for Ubuntu

# Update package list
sudo apt update

# Install OpenSSH Server and Fail2ban
sudo apt install -y openssh-server fail2ban

# Generate SSH Key Pair
ssh-keygen -t rsa -b 4096 -N "" -f $HOME/.ssh/id_rsa

# Copy the public key to the server
ssh-copy-id username@remote_server_ip

# Configure sshd_config
sudo bash -c 'cat <<EOF >> /etc/ssh/sshd_config
PubkeyAuthentication yes
PasswordAuthentication no
PermitRootLogin no
Port 2222
EOF'

# Restart SSH service
sudo systemctl restart ssh

# Configure Fail2ban
sudo bash -c 'cat <<EOF >> /etc/fail2ban/jail.local
[sshd]
enabled = true
maxretry = 3
bantime = 3600
EOF'

# Start and enable Fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

echo "SSH hardening completed successfully! 🚀"

Conclusion

In this tutorial, we covered critical techniques for hardening your SSH configuration on Ubuntu, including the implementation of public key authentication, Fail2ban for brute-force protection, and access policies through sshd_config. By following these best practices, you can greatly enhance the security of your Linux systems against unauthorized access.

Next Steps

Explore advanced SSH configurations, such as two-factor authentication.
Regularly audit your SSH access logs for suspicious activity.
Stay updated with the latest security patches and practices.

References

By following this guide, you'll be well on your way to creating a more secure SSH environment on your Ubuntu systems. Happy securing! 🔐