5 Must Have Tweaks to Secure OpenSSH

Показать описание

OpenSSH is a fantastic tool for remotely managing Linux servers, but with great power comes great responsibility! If a threat actor is able to gain access to OpenSSH on your Linux server, then they have full access to cause all kinds of mischief. In this video, Jay goes over 5 must-have tweaks to strengthen the security of OpenSSH on your server.

Thanks yet again to Linode for sponsoring this video!

*LEARN LINUX TV - YOUR HOME FOR LINUX-RELATED FUN AND LEARNING!*

Note: Affiliate revenue is earned from that URL

*💬 CHECK OUT OUR FORUMS*
Have a Linux question? Want to share a tip? Or maybe just hang out?

*🐧 SUPPORT LINUX LEARNING!*
_Note: Royalties and/or commission is earned from each of the above links_

*⏰ TIME CODES*
00:00 - intro
03:12 - Tweak 0: Disable the OpenSSH service if you don't plan on using it
05:07 - Tweak 1: Change the default port that SSH listens on
10:05 - Tweak 2: Preventing access to ssh from the root account
14:07 - Tweak 3: Disabling password authentication completely
17:09 - Tweak 4: Suggestion: Use a firewall rule to further protect SSH
19:21 - Tweak 5: Suggestion: Use a hardware key for extra security*🎓 FULL LINUX COURSES FROM LEARN LINUX TV*

*🌐 LEARN LINUX TV ON THE WEB*

*⚠️ DISCLAIMER*
Learn Linux TV provides technical content that will hopefully be helpful to you and teach you something new. However, this content is provided without any warranty (expressed or implied). Learn Linux TV is not responsible for any damages that may arise from any use of this content. Always make sure you have written permission before working with any infrastructure and that you are compliant with all company rules, change control procedures, and local laws.

#LinuxServer #DevOps #OpenSSH

Рекомендации по теме

Комментарии

Just wanted to say thanks for all that you do! I didn’t know anything about Linux a month ago, and now I’m able to start up my own servers from scratch and maintain them with ease.

koltonward

I will suggest that when you do you Firewall Video collection, you include Tweak #4.5 - Leverage a Bastion Host, all others will only allow ssh from the Bastion local IP (which is fixed) and the Bastion is the only box allowed to be seen from the Internet SE LINUX turned on, very regularly patched, and nothing of consequence running on it. So, once someone goes to multiple servers or VMs, they all can just be accessed only from the Bastion. It would also be great to have the various video links you mention in your description, so I can find them easily without having to go to that place in the video :^).
Great job making these security issues clear and understandable!😀

timrobertson

Thanks to your channel I was able to learn so much and it helps me to do my job, support my family. All this great, well structured learning content for free is a God's work. Thank you!

Drna

just a fyi for all interested - enable and start a service in systemd with single command - " systemctl enable {service} --now " - thank you Jay for all your content ... always a pleasure

ThePswiegers

Great video even if title is clickbaity. I would just like to point that because of port scanning mentioned in Tweak 1 and dynamic IPs mentioned in Tweak 4, another good method is to lock the SSH connection to the Local Network of the server and VPN into it, this way SSH is not exposed to the internet and cannot be compromised by port scanning, you don't have to bother with fail2ban and checking logs and would only have to take good care of securing your VPN server.

MisterSilenzo

I'm actually a bit surprised you didn't go ahead with making the key. Making a key and copying it over is just such a quick and easy thing to do, but I understand it's already a bit long video. Good tips for the newer folk though. I've been using for quite a few many years, and I just learned about the whence command while I was tinkering at the keyboard out of boredom, so us less than newbie folk can still learn new tricks too. That's why I watch your lower level stuff when you post it, once in a while there's something I didn't know or hadn't used for so long I'd forgotten it.

binbashbuddy

I didn't see any cards to other videos pop up. Great video!

Timjstewart

To expand on Tweak 4, install and use Tailscale. No ssh port exposed to the world and ssh is only available to authenticated Tailscale clients

funkykong

1st class video, I used it review my own ssh setting, thanks ..

anoldslowhorse

I like to create a group called “sshusers”, add this group to the necessary users, then in sshd_config, add an entry “AllowGroups sshusers”. This limits the scope of users who can ssh in to a box. (There is also an “AllowUsers” option)

joeyr

Thanks Jay for your wonderful work. I don't know how to suggest topics so I will just mention here: how about explaining ports; servers - (e.g.nwhere is my docker server? ...or my nextcloud server? How can I manage the port assignments to avoid conflicts? If this is not of interest then maybe a segment on where to find this info?
You are doing a fantastic job - please keep it up!!!

jonathanrider

I generally make a point of verifying that I can still make a connection via ssh after every restart of sshd when making changes, by making a new connection from a remote machine, while the original connection is still active. This way if something is wrong and I cannot connect with the new config, I still have access and can restore the old config.
Even with a VPS there's ways to get a console without ssh, but it's a pain I prefer to avoid.

SuprousOxide

Is there a way of allowing password access but only from local LAN? Outside LAN then ssh key.

sendgl

Very interesting. What what about knockd or when the destination user account is encrypted?

benverdel

I was a bit scared of using ssh keys at first, fear of being locked out etc, but loved them very quickly, and have all my clients and apps (filezilla, winscp, juicessh etc etc) all config'ed now to use ssh keys instead of password. You didn't mention this in the video I think, but disabling password auth, seemed to hide my (custom) ssh port from nmap network/port scans now, too.

yorkshireplumbing

why constantly clear screen? makes scrubbing to look for the commands your looking for very painful.
Thanks for your videos.

wva

Another great video. So for those of us traveling more than half the month, on various networks, and always on a VPN provider, with changing IPs, is there a suggestion of how to set up IP security? I know the question answers itself, but I was wondering if there's a way to get maximum security with an extremely mobile lifestyle.

AquariusTurtle

One of my frustrations at the moment is how to manage SSH keys across many devices in a small enterprise network. We have switches, APs, routers, server, clients (Windows, Linux, etc). I find videos galore taking about how to set up the keys and to secure the SSH server - but nothing about how to manage the keys. Such as, if I as an admin have a key that is used within the network and placed on many devices, if any of my workstations is compromised and the private keys are accessed - then the system is in great danger. Where are the keys implemented? Keep this in a spreadsheet? How to push new keys out to all those systems in mass quickly? It seems to be a decentralized mess that in itself is a large security risk - making me inclined to turn off SSH everywhere and use the GUI UI tools most of these devices have verses the SSH approach and a password manager instead. Are there some kind of central management tools out there for this? If so, a video reviewing and going over some of those and their pros/cons would be awesome. I makes me like Microsoft's Server management systems - like Active Directory for central user management (including authentication and access to systems via the permissions granted per security groups and such) much more and appreciate them more as I have been delving deeper into Linux.

ameador

A tweak I use with systemctl to enable and start at same time is: $sudo sysstemctl enable --now

donaldwilliams

Another way is to only allow ssh through LAN and use a different server to run internet ssh. This could be through a vpn or tunnel, but obscurity is not security.

tutacat

5 Must Have Tweaks to Secure OpenSSH

5 Must Have Tweaks to Secure OpenSSH

5 MUST HAVE FREE Tweaks for iOS 12 - 12.1.2 (Unc0ver Jailbreak)

Top 10 Must Have Best Jailbreak Tweaks For iOS 6 / iOS 7 - iPhone 5, iPod 5G, iPad Mini!

Must Have Top 20 Cydia Tweaks for iOS 6 on iPhone 5 Evasi0n Jailbreak + stock weather app fix ios6

10 must have jailbreak tweaks for the new iPad

5 Things You MUST Do Before Deploying Your App to Google Play (or you'll regret it)

Five Must-Have FREE iOS 8 Cydia Tweaks/Apps for iPhone & iPod Touch

15 Must Have Tweaks For iOS 11.2 - 11.4: You Should Be Installing After Jailbreaking

The ONLY Tweak You Need To Make To Rank This Month

Top 10 Cydia Tweaks for iPhone 5/4S/4/3Gs 6.1 - Must Have Tweaks for Evasi0n Jailbreak 2013/2012!

Top 5 Best iOS 5 Cydia Tweaks for iPhone, iPod Touch, iPad (Ep. 1)

*June 2020* Top 5 Must Have Lock Screen Jailbreak Tweaks on iOS 14 - 14.6 (Part 1)

5 AMAZING Jailbreak Tweaks YOU NEED TO TRY!

15 Must Have Tweaks iOS 13

Top 5/Must Have Cydia Tweaks and Apps!

Top 10 Must Have iOS 7 Compatible Cydia Tweaks - iPhone 5/5S/5C/4s/4, iPod Touch 5G, iPad

Top 10 Best Jailbreak Tweaks You MUST Try | Part 5

5 Great Paid Tweaks Worth Jailbreaking iOS 6 | Pocketnow

Top 10 iOS Tweaks for 2024: Best Jailbreak Tweaks for iOS 17 - iOS 15 #dopamine #palera1n #cydia

The Versatile 2-2-1 Press | 5 Tweaks To The 2-2-1 To Cause Confusion & Force Turnover

Top 5 Cydia Tweaks for New iOS 13.5 Jailbreak

Top 15+ MUST HAVE iOS 14 Tweaks for Unc0ver Jailbreak

Top 20 Must Have Cydia Tweaks For iOS 13-13.5 | NEW Unc0ver

Top 5 Cydia Tweaks for NEW iOS 13.5 Jailbreak

June 2020 Top 5 Must Have Lock Screen Jailbreak Tweaks on iOS 14 - 14.6 (Part 1)