Secure Shell (SSH) is a very important tool for administrators and other user types, as it allows you to remotely log into an instance of Rocky Linux and take care of all the various admin tasks on our to-do list.

Out of the box, SSH should work just fine. You can log in with a command like:

ssh 192.168.1.100

Or, if you have different user names on both machines, you could add a user like so:

ssh [email protected]

You'll be prompted for your password and allowed access.

Although SSH is fairly secure by default, you might want to add some extra security, to better protect your Rocky Linux servers. For this, there are a few steps you can take to help prevent unwanted access. Let's dive right into those steps.

Step 1: Change the default port 

By default, SSH uses port 22. To obfuscate SSH from possible attacks, you might change that default port to something like 2112. While “security by obscurity” is an often debated topic, there is merit to ensuring consistency across your infrastructure, and it can be useful to run separate SSHD services for various purposes; for example, a separate daemon for git-based communications over the SSH protocol is often a recommended practice.

First, open the SSH daemon configuration file with the command:

sudo nano /etc/ssh/sshd_config

In that file, look for the line:

#Port 22

Change that line to:

Port 2112

Save and close the file.

Next, we have to make SELinux aware of the change with the command:

sudo semanage port -a -t ssh_port_t -p tcp 2112

Restart the SSH daemon with:

sudo systemctl restart sshd

Next, we must open the new port via the firewall with:

sudo firewall-cmd --permanent --zone=public --add-port=2112/tcp

Finally, reload the firewall daemon with:

sudo firewall-cmd --reload

Now, when you go to SSH into the machine, you'll add the -p flag like so:

ssh 192.168.1.100 -p 2112

Step 2: Disable users with blank passwords

We also want to prevent any user with a blank password from gaining access. This shouldn't be an issue, if you've created a password policy that prevents users with no password. If, however, you've not taken care of that, you'll want to disable users with blank passwords from logging in via SSH. In Rocky Linux 9 and later, password logins are disabled by default!

To do this, open the SSh config file with the command:

sudo nano /etc/ssh/sshd_config

In that file, look for the following line:

#PermitEmptyPasswords no

Change that line to:

PermitEmptyPasswords no

Save and close the file.

Restart SSH with the command:

sudo systemctl restart sshd

Step 3: Restrict SSH logins to specific IP addresses

We can also restrict SSH logins to only specific IP addresses. This is a handy option if you only want to allow specific machines access to your server. Say, for example, you have three users who administer your Rocky Linux server who work on machines with the following IP addresses:

  • 192.168.1.10
  • 192.168.1.20
  • 192.168.1.30

To restrict SSH access to those addresses, first we need to set the hosts.deny file to ALL for the SSh daemon. Open that file with:

sudo nano /etc/hosts.deny

At the bottom of that file, add the following:

ssh: ALL

Save and close the file.

Next, open the hosts.allow file with the command:

sudo nano /etc/hosts.allow

At the bottom of that file, add the IP addresses (separated by commas) like this:

sshd: 192.168.1.62, 192.168.1.11, 192.168.1.100

If you wanted to allow all machines on your LAN access, you could do so with the line:

sshd: 192.168.1.0/24

Save and close the file.

At this point, only the IP addresses you've configured will be able to log in via SSH.

Step 4: Use SSH Key Authentication

SSH key authentication is far more secure than simple username/passwords, because it requires a matching key pair to allow access. This might sound complicated, but it's actually very easy to set up.

First, on one of the machines you'll use to access the server via SSH, generate an SSH keypair with the command:

ssh-keygen -t ed25519 -a 250

There are many different types of keys which can be created using ssh-keygen. The current default uses low-entropy RSA keys which are inherently insecure due to their short length. Above, we have chosen an EdDSA (Edwards-curve Digital Signature Algorithm) which uses stronger cipher security to protect in-transit communications.

With the key pair created, copy it to the Rocky Linux server with the command:

ssh-copy-id SERVER

Where SERVER is the IP address of your Rocky Linux server.

The only caveat to this is that you'll have to take an extra step if you've configured SSH to use a non-standard port (because you can't define a port with the ssh-copy-id command). To do this, open the necessary config file with:

nano ~/.ssh/config

Let's say you're Rocky Linux server is at 192.168.1.100 and you've set the port number to 2112. That entry would look something like this:

Host Rocky
   HostName 192.168.1.100
   Port 2112

Save and close the file. You should now be able to copy the key via the non-standard port like so:

ssh-copy-id Rocky

Stay connected with your current session and open another SSH session for the next steps. One thing to keep in mind is that, if you follow the next steps, only machines that have copied their SSH keys to the Rocky Linux server will be able to log in. Because of that, make sure you've copied SSH keys from all machines that will require SSH login to the Rocky Linux server.

Back on the Rocky Linux server, open the SSH daemon config file with:

sudo nano /etc/ssh/sshd_config

Look for the following line:

#PubkeyAuthentication yes

Change that to:

PubkeyAuthentication yes

Next, find the line:

#PasswordAuthentication yes

Change that to:

PasswordAuthentication no

Save and close the file. Restart the SSH daemon with:

sudo systemctl restart sshd

Now, the only machines that will be able to log into your Rocky Linux server (via SSH) are those with matching key pairs.

CIQ, Inc. | Website | + posts

Similar Posts