Securing SSH access in Debian

By default Debian asks to set a strong root password. But this could be possible guessed by brute force. Here are some hints to secure your remote login.

Your root password will not become obsolete by following this hints. You will still need it for local recovery login.

1. Use a ssh key

To create a new key, run the following command. Be careful not to overwrite an existing key when entering the filename. The passphrase could be empty, if one prefer to login instantly without any interaction.

user@local:~$ ssh-keygen

Without any command line option a key with RSA 2048 will be generated. The key is stored in the directory ~/.ssh, which is only accessible by yourself (0700). Keep the private key secure, while the public part could be read by others. The private part by default is id_rsa (0600) and the public is (0644).

Finally the public key will be transfered to your remote system. At this time your your root password will be asked.

user@local:~$ ssh-copy-id root@remote

From now on, every login at your remote system will first try to match the remote public part with the local private part.

2. Disable root login

If the remote system is worldwide accessible by SSH, one will find a lot of password guessing attempts every second in /var/log/syslog/auth.log.

First create a new user, which will be used without a password, but with a key. Replace USER with your user name.

root@remote:~# adduser –ingroup users –disabled-password USER

Next the SSH directory is created. The authorized_keys will contain the public key, wich could be filled manually, or copy it from the root login.

root@remote:~# mkdir /home/USER/.ssh
root@remote:~# cp /root/.ssh/authorized_keys /home/USER/.ssh/
root@remote:~# chown -R USER:users /home/USER/

While the terminal with root privileges remains open (and will not be closed by SSH restart), a new additional connection to the remote server has to be established. This way one will not lock yourself out of the remote server.

Next the root login will be disabled in by editing /etc/ssh/sshd_config changing the “yes” in following part to “no”

PermitRootLogin no

Finally the SSH service will be restarted

root@remote:~# service ssh restart

Now the login with user root will be impossible, but the USER can login.

3. Work with sudo

Working with sudo is a nice way to control user access on group or command basis to grant root privileges.

root@remote:~# apt install sudo

By default all users which are part of he sudo group could execute this command, so add the sudo group to the new user.

root@remote:~# adduser USER sudo

But a password is still needed. To remove the password requirement, edit the configuration

root@remote:~# export EDITOR=vim
root@remote:~# visudo

And change the sudo group line, so no password is required if the new user requests sudo


4. Using fail2ban

Install fail2ban, which automatically detects brute force attempts to SSH and blocks its IP addresses with the help of iptables.

USER@remote:~$ sudo apt install fail2ban

Create a commented copy of the config to edit parts in jail.local

USER@remote:~$ sudo awk ‘{ printf “# “; print; }’ /etc/fail2ban/jail.conf | sudo tee /etc/fail2ban/jail.local

Do not forget to restart fail2ban after your changes.

root – Debian Wiki
SSH – Debian Wiki
Securing Debian Manual Chapter 5 – Securing services running on your system
How To Protect SSH with Fail2Ban on Ubuntu 14.04

Author: admirableadmin

Hello World! Ich bin Andreas Peichert und entwickle und programmiere Software seit 2000. Zurzeit arbeite ich als Senior Solution Architect.

Leave a Reply

Your email address will not be published. Required fields are marked *