How to Restrict User Login on SSH: A Comprehensive Guide
SSH (Secure Shell) is a critical tool for managing servers remotely, but without proper security, SSH access can be exploited. Restricting user logins on SSH is a key step in improving the security of your server. In this article, we will explain in detail various methods and techniques to limit access to SSH and reduce the risk of unauthorized access.
1. Disable Root User Login
The first and most important step to limit SSH access is to disable login using the root account. Direct root login poses a significant security risk, as an attacker who gains access to this account has full control over the server.
How to disable root login:
sudo nano /etc/ssh/sshd_config
Find the line containing PermitRootLogin
and change its value to no
:
PermitRootLogin no
Save the file and restart the SSH service:
sudo systemctl restart sshd
This will prevent the direct login of the root user via SSH.
2. Allow Access Only for Specific Users
Limiting SSH access to specific users is an effective way to secure your server. You can specify which users are allowed to log in via SSH using the AllowUsers
parameter.
Steps:
sudo nano /etc/ssh/sshd_config
Add a line with the usernames you want to allow:
AllowUsers user1 user2
This will restrict SSH access to the specified users. If you want to allow more users, simply add them to the same line.
3. Use Key-Based Authentication Instead of Passwords
Passwords are vulnerable to brute-force attacks. A more secure alternative is using public and private SSH keys. Key-based authentication secures access much better than traditional passwords.
How to enable key-based authentication:
ssh-keygen -t rsa -b 4096
Then install the public key on the server:
ssh-copy-id user@server
Finally, in the SSH configuration file, disable password-based logins:
PasswordAuthentication no
This step ensures that users can only log in with a valid SSH key, significantly increasing security.
4. Restrict Access by IP Address
Another effective method is to restrict SSH access to specific IP addresses. This ensures that only users from allowed networks can connect to the SSH server.
Steps to configure via firewall:
If you use ufw (Uncomplicated Firewall), you can allow SSH access only from a specific IP address like this:
sudo ufw allow from 192.168.1.100 to any port 22
This command allows access to port 22 (SSH) only from the IP address 192.168.1.100
.
5. Set a Timeout for Inactive Sessions
Long inactive SSH sessions can pose a security risk. Therefore, it is advisable to set a timeout after which an inactive user is automatically logged out.
Steps:
sudo nano /etc/ssh/sshd_config
Add or modify the following lines:
ClientAliveInterval 300
ClientAliveCountMax 0
These settings ensure that inactive sessions are automatically terminated after 5 minutes of inactivity.
6. Change the Default SSH Port
Attackers often use automated scanning of the default port 22. Moving SSH to another port can help reduce the number of unwanted login attempts.
How to change the SSH port:
sudo nano /etc/ssh/sshd_config
Find the line #Port 22
and uncomment it (remove the # sign) and change the port number, for example:
Port 2222
After saving the file, restart the SSH service:
sudo systemctl restart sshd
Keep in mind that after changing the port, you also need to update firewall rules to allow the new port.
7. Implement Two-Factor Authentication (2FA)
For an additional layer of security, you can implement two-factor authentication. You can use tools such as Google Authenticator or other time-based one-time password (TOTP) generators.
Installing Google Authenticator:
sudo apt-get install libpam-google-authenticator
Set up two-factor authentication for a specific user:
google-authenticator
Edit the file /etc/pam.d/sshd
and add the line:
auth required pam_google_authenticator.so
Finally, enable challenge-response authentication in the SSH configuration file:
ChallengeResponseAuthentication yes
This way, you add an extra security layer to SSH logins.
Restricting user logins on SSH is a key step in securing your server. A combination of the techniques mentioned above, such as disabling root login, allowing access only for specific users, using key-based authentication, and implementing two-factor authentication, will significantly enhance the security of your SSH service. By following these steps, you can effectively protect your server from unauthorized access and attacks.