How to Secure SSH on a Vultr Arch Linux Server

Updated on December 3, 2020
How to Secure SSH on a Vultr Arch Linux Server header image

Introduction

After installing OpenSSH, there are extra steps that can improve the SSH security of your Vultr Arch Linux server. Consider following these best practices.

Disable Root Login

Allowing the root account to connect via SSH is a poor security practice. It's preferred to connecting with a non-root account and use sudo to temporarily gain root privileges.

  1. Create a sudo user. If there is not already a user account with sudo access, follow the steps in this guide to create one.

  2. To disable root login, open the file /etc/ssh/sshd_config in a text editor, and find the following line:

     #PermitRootLogin prohibit-password
  3. Enable the directive by removing the # at the beginning of the line.

  4. Change prohibit-password to no to disable root logins via SSH. The line should now look like this:

     PermitRootLogin no

Restrict Which Users Can Use SSH

If some system accounts should not access the server remotely, set an allow list of users and groups that may connect via SSH.

  1. Edit /etc/ssh/sshd_config

     $ nano /etc/ssh/sshd_config
  2. To allow specific users SSH access, add a line like:

     AllowUsers example_user1 example_user2
  3. To allow user groups SSH access, add a line like:

     AllowGroups example_group1 example_group2

Specify any number of users or groups separated by spaces.

Change the SSH Port

Change the default SSH port (22) to any unused port greater than 1024.

  1. Edit /etc/ssh/sshd_config

     $ nano /etc/ssh/sshd_config
  2. Find this line:

     Port 22
  3. If the line is commented out with #, remove the # symbol.

  4. Choose any unused port greater than 1024. For example:

     Port 2222

SSH can listen on multiple ports if you add more Port lines with one port number per line.

Use SSH Keys

We recommend using an SSH key instead of a password to authenticate. It is also usually more convenient.

Generate a Key Pair

If you do not already have an SSH key pair, create one by following the guide, How Do I Generate SSH Keys?

Locate your public key to complete the following steps.

Enable SSH Key Login

  1. Edit /etc/ssh/sshd_config

     $ nano /etc/ssh/sshd_config
  2. Find this line:

     #PubkeyAuthentication yes
  3. If the line is commented out with #, remove the # symbol.

Copy the Public Key to the Server

To log in with an SSH key, the user must place their public key in their ~/.ssh/authorized_keys file. Use one of the following methods:

Method 1: Copy the Key with ssh-copy-id

If your local machine has OpenSSH installed, and your public key is in ~/.ssh/id_rsa.pub (the default location), send your key to the server with the following command:

$ ssh-copy-id username@YOUR-SERVER-IP

Method 2: Manually Add the Key

  1. In the server user's home directory, create the file ~/.ssh/authorized_keys if it does not already exist.
  2. Paste the public key into the file.

Disable Password Login

After enabling SSH key authentication, it a best practice to disable password authentication. Make sure you've tested SSH key login first. If your SSH key doesn't work, and you disable password login, you'll lose SSH access.

  1. Edit /etc/ssh/sshd_config

     $ nano /etc/ssh/sshd_config
  2. Find this line:

     #PasswordAuthentication yes
  3. If the line is commented out with #, remove the # symbol.

  4. Replace yes with *no**.

    The line should look like this when finished.

     PasswordAuthentication no

Test the SSH Configuration File

After modifying the SSH configuration of your Vultr server, it's a best practice to verify there are no syntax errors in the file. This ensures that OpenSSH starts without problems.

Run the following command as root to test the configuration file:

# sshd -t

If there is no output, the configuration file is valid. Otherwise, fix the specified errors before continuing.

Restart OpenSSH

After all configuration files changes are complete and validated, restart OpenSSH to apply the new configuration.

Run the following command as root:

# systemctl restart sshd.service