by

Openssh Server Ubuntu 20.04



In-depth guide on how to secure a Linux home server running Ubuntu 20.04. This post explains how to change the default SSH port, how to configure a UFW firewall, how to use ssh key-based authentication, how to install and configure fail2ban, and finally how to setup two factor authentication (2FA).

Prerequisites

  • A running Ubuntu instance
  • SSH access to your server

Openssh For Ubuntu 20.04


Change the default SSH port. To change the default SSH port, modify the sshd configuration file. Whenever you use an SSH server, you must have considered securing it first to save yourselves from any unwanted situation in the longer run. We can never say that a single step will ensure 100% security or a certain step is better than the other. In this article, a very deep insight into the basic and advanced steps for securing an SSH server in Ubuntu 20.04 is provided.

1. Change the default SSH port

How To Set Up SSH keys On Ubuntu 20.04. Join us to finish the steps of this tutorial to show you How to set up SSH keys on Ubuntu 20.04. The plan is that we would focus on setting up SSH keys for an Ubuntu 20.04 installation. SSH keys provide a secure way of logging into your server. Install the openssh-server in order to perform an installation of the SSH server on your Ubuntu 20.04.

Openssh

To change the default SSH port, modify the sshd configuration file

In order to access your server from outside of your local network, you need to forward that port your machine in your router’s configuration.

Now you will always need to specify the port used for SSH’ing into your server, as otherwise SSH will attempt to use the (now no longer working) port 22

Don’t forget to port-forward this to your home server in your router’s configuration if you want to access your home server from outside of your local network!

Pro tip, I always recommend creating an “alias” for login purposes such that you won’t need to remember which SSH port you have used. This can easily be achieved by saving the connect command to your ~/.bashrc file

Uninstall ssh server ubuntu 20.04

where random-name is any name for your alias
SSH-PORT is the port that you set up above, e.g. 549
USERNAME is the username on the server that you want to SSH into, e.g. roman
LOCAL-IP the local IP address, e.g. 192.168.1.100


2. Install and setup ufw

UFW, or uncomplicated firewall, should generally already come pre-installed on Ubuntu 20.04. If for some reason it’s not already installed on your machine, you can get it using

Next, set up some basic rules and enable the firewall. Before continuing, make sure that you have specified the correct port for SSH. Otherwise you will lock yourself out from your own server!

This should provide you with some basic security, as only the ports specified can now be accessed. You can check which ports are allowed using

An additional layer of security can be gained by additionally blocking ping requests. For this, update the following line

Note that doing this will prevent you from finding your server’s local IP address using an IP scanner so make sure you know your server’s IP address before implementing this safety measure!

Finally, reload the firewall using


3. Generate keygen

In order to make our SSH connection even more secure, I recommend to generate a key instead of a plain old password. Reason being is that it’s close to impossible to become a victim of a man-in-the-middle attack because no sensitive information is exchanged between you and your server upon login.

This works by creating a key which has two parts: a private key (stays on the client) and a public key (is transferred to the server). Once a client attempts to establish a connection to the server, it generates a random message, which the client encrpyts using the private key. This message is then send back to the server which decrypts it using the public key. The session is then accepted if the response matches what the server has sent. This is a clever way of avoiding having to send authentication related information in plain text (or encrypted) between the server and client, as the random message is different for each new connection.

You can generate a key on your client machine (which you use to connect to your server) with

I personally prefer not to use a passphrase for my key’s since I like to use two factor authentication anyways (see step 6 below).

Next, copy the public key to your server (mind the capital P to specify the non-standard SSH port)

Note: If you already have an authorized_keys file on your server, simply paste the content of id_rsa.pub in that file on a new line.

Now you should be able to log-in to your server without getting a password prompt, since the server authorizes you using the keygen.


4. Only allow login with keygen

To make your server only accept ssh key-based authentication, edit the sshd_config file

Next, restart the SSH deamon

5. Install and setup fail2ban

First, install fail2ban

Next, copy the default fail2ban configuration file (make sure to end the custom file with .local)

Add an SSH jail to the end of the file

How to start openssh server ubuntu

This will ban any IP address that has more than 3 failed login attempts over the last 600 seconds indefinitely. You can change the ban type to a certain time period by changing bantime to any value in seconds.

Finally, restart the fail2ban service

Get the current fail2ban status using

If you have accidentally banned one of your computers, you can un-ban any IP address by typing


Openssh-server Has No Installation Candidate Ubuntu 20.04

6. Setup two factor authentication

If you want to add yet another layer of security, you can set up two factor authentication for SSH based login to your server. In this example, we are going to use the google authenticator, however this procedure would work similarly with other authentication software such as Authy.

You can download the google authenticator for both Android and Iphone. This tool basically just produces a time based token based on a long sequence of numbers and letters.

Next, install google authenticator on your server:

You can now set up two factor authentication by entering ‘google-authenticator’

If you proceed by typing ‘y’, a large QR code will be displayed in your terminal, together with your secret key as well as one-time emergency codes (the large QR code is not shown in the following example).

Write down your secret key and emergency codes and open the google authenticator application on your mobile phone. In the app, click on the plus in the bottom right corner and hit ‘scan QR-code’. Then scan the QR code from your terminal.

Openssh Server Ubuntu Install

Next, allow the google authenticator to update the required file in your home directory:

Now come three questions regarding the hardness of your google authenticator installation. The first one pertains to only allowing the use of the same authentication token once. I would strongly recommend to enable this.

The next setting pertains to the use of 3 codes to 17 codes. I would strongly recommend to disable this.

Install Openssh Ubuntu 20.04

Finally, you can limit the number of allowed login attempts to 3 every 30 seconds. Make sure to never accidentally enter the wrong codes yourself though or you will lock yourself out from your own server! I generally enable this.

Update the PAM sshd configuration file

And all the way on the bottom add

All changes to the sshd_config file

Finally, restart the ssh daemon