top of page

Enabling and Configuring Secure Remote Access to an Ubuntu Server

Feb 17

14 min read

0

0

0

Enabling and Configuring Secure Remote Access to an Ubuntu Server

In today's interconnected world, securely accessing your Ubuntu server remotely is essential. Whether managing a web server, developing software, or needing to access files from afar, a secure remote connection ensures data protection and server accessibility. SSH (Secure Shell) is a cryptographic network protocol that encrypts communication between your computer and the server, safeguarding your data from eavesdropping and unauthorized access. It was designed for Unix-like systems to replace the insecure Telnet service used in the early internet era1. This article guides you through enabling and configuring secure remote access to your Ubuntu server using SSH, along with best practices for optimal security.

Enabling SSH on Ubuntu Server

To enable SSH on your Ubuntu server, follow these steps:

  1. Update and Upgrade Packages: Before installing new software, update your server's package list and upgrade existing packages to their latest versions. This ensures you have the latest security patches and bug fixes. Open your terminal and run the following commands:Bashsudo apt updatesudo apt upgrade

  2. Install OpenSSH Server: OpenSSH is a popular SSH implementation available for Ubuntu. If not already present, install the OpenSSH server package by running:Bashsudo apt install openssh-server

  3. Start and Enable SSH Service: After installation, start the SSH service and enable it to start automatically at boot time:Bashsudo systemctl start sshsudo systemctl enable ssh

  4. Verify SSH Status: Confirm that the SSH service is running correctly using:Bashsudo systemctl status sshYou should see a message indicating that the service is active and running.

  5. Check the IP Address of the Remote Machine: To connect to your server, you'll need its IP address. Use the following command on the server to find its IP address:Bashhostname -IThis command will print a list of IP addresses associated with the network interfaces of your machine2.

  6. Ensure Network Connectivity and SSH Service on the Remote Machine: Before attempting to connect, ensure that the remote machine is properly connected to the internet and that the SSH service is running on it. You can check the SSH status on the remote machine using the command sudo systemctl status ssh. Also, ensure that the remote server is using the correct port for the SSH service (the default port is 22, but you can change it as explained later in this article)2.

Configuring SSH for Optimal Security

While enabling SSH provides a secure connection, configuring it properly for optimal security is essential. Here are some key configurations to consider:

Strong Passwords and Two-Factor Authentication

  • Strong Passwords: Enforce strong passwords for all user accounts with access to the server. Strong passwords should be at least 12 characters long and include a combination of uppercase and lowercase letters, numbers, and special characters3.

  • Two-Factor Authentication (2FA): Enable 2FA for an added layer of security. 2FA requires users to provide a second form of identification, such as a code from a mobile app or a hardware token, in addition to their password3. You can use tools like Google Authenticator for 2FA integration with SSH. To enable 2FA with Google Authenticator, follow these steps:

  • Install Google Authenticator on the server: sudo apt install libpam-google-authenticator

  • Configure Google Authenticator: google-authenticator

  • Update PAM configuration: sudo nano /etc/pam.d/sshd and add the line auth required pam_google_authenticator.so

  • Update SSH configuration: sudo nano /etc/ssh/sshd_config and ensure the line ChallengeResponseAuthentication yes is present.

  • Restart SSH service: sudo systemctl restart ssh 4

Disable Root Login

Disabling direct root login via SSH is crucial. The root user has complete control over the server, and if compromised, it could lead to severe consequences. Instead, create a regular user account with sudo privileges for administrative tasks5. To disable root login, open the SSH configuration file:


Bash



sudo nano /etc/ssh/sshd_config

Find the line PermitRootLogin yes and change it to PermitRootLogin no. You can also use the prohibit-password option to allow root login with SSH keys but disallow password-based authentication for the root user6. Save the file and restart the SSH service:


Bash



sudo systemctl restart sshd

If you also want to prevent local logins as root, disable the root user's password using the following command:


Bash



sudo passwd root -ld

This locks the account and removes the account password6.

Change Default SSH Port

By default, SSH listens on port 22. Changing this to a non-standard port can help reduce automated attacks and port scanning attempts. While this doesn't make SSH inherently more secure, it can reduce the noise from automated attacks and make it harder for attackers to find your SSH server7.

In the SSH configuration file (/etc/ssh/sshd_config), find the line Port 22 and change the port number to a different value (e.g., Port 2222). Save the file and restart the SSH service. Remember to update your firewall rules to allow traffic on the new port.

Limit User Access

Restrict SSH access to only the necessary users and IP addresses. This reduces the potential attack surface and minimizes the risk of unauthorized access. Regularly audit SSH permissions and access controls to ensure that only authorized users have access3.

You can use the following directives in the SSH configuration file (/etc/ssh/sshd_config) to control user access:

  • AllowUsers: Specify which users are allowed to connect from specific IP addresses or hostnames. For example:AllowUsers user1@192.168.1.100 user2@*.example.comThis allows user1 to connect only from the IP address 192.168.1.100 and user2 to connect from any host in the example.com domain8.

  • AllowGroups: Specify which groups are allowed to connect. For example:AllowGroups sshusersThis allows only users belonging to the sshusers group to connect8.

  • DenyUsers: Deny SSH access to specific users or groups. For example:DenyUsers user3This denies access to user3 regardless of their IP address or group membership8.

You can also use Match blocks in sshd_config to create more complex access control rules. For example:




Match Host !hostname DenyUsers userMatch Host hostname AllowUsers user

This would block all users except user from connecting from hostname and block user from connecting from everywhere else8.

Additionally, you can use /etc/hosts.allow and /etc/hosts.deny to restrict SSH access by IP address. For example, to allow SSH connections only from the local network (192.168.2.x) and a specific external IP address (217.40.111.121), you would add the following lines to /etc/hosts.allow:




sshd,sshdfwd-X11: 192.168.2. 217.40.111.121

And the following line to /etc/hosts.deny:




sshd,sshdfwd-X11: ALL

9

You can also use iptables to control SSH access at the firewall level. For example, to allow SSH connections only from a specific IP address (172.10.1.10) and a subnet (192.168.1.0/24), you would use the following iptables rules:


Bash



iptables -A INPUT -p tcp --dport 22 --source 172.10.1.10 -j ACCEPTiptables -A INPUT -p tcp --dport 22 --source 192.168.1.0/24 -j ACCEPTiptables -A INPUT -p tcp --dport 22 -j DROP

10

Other SSH Security Configurations

Besides the configurations mentioned above, consider the following options in the SSH configuration file (/etc/ssh/sshd_config) to further enhance security:

  • Disable Tunnels and Forwarding: Prevent users from creating tunnels or forwarding ports by setting PermitTunnel no, AllowTcpForwarding no, and DisableForwarding yes10.

  • Use PAM: Enable PAM (Pluggable Authentication Modules) by setting UsePAM yes. PAM allows you to use various authentication methods and modules for SSH10.

  • Chroot User Sessions: Restrict user access to a specific directory by setting ChrootDirectory chroot_path. This limits the damage an attacker can do if they compromise a user account10.

  • Enable Connection Timeouts: Configure SSH to automatically terminate idle connections after a specified period to prevent unauthorized access. You can use the ClientAliveInterval and ClientAliveCountMax directives to control this behavior4.

  • Limit Authentication Attempts and Sessions: Set MaxAuthTries to limit the number of authentication attempts and MaxSessions to limit the number of concurrent SSH sessions. This helps prevent brute-force attacks and resource exhaustion4.

  • Use Strong Encryption Algorithms: Specify strong cryptographic algorithms and key exchange protocols by setting Ciphers and MACs. For example:Ciphers aes256-ctr,aes192-ctr,aes128-ctrMACs hmac-sha2-256,hmac-sha2-51211

Use Public Key Authentication

Public key authentication provides a more secure alternative to password-based authentication. It involves generating a pair of keys: a private key that remains on your local machine and a public key that you place on the server3. To set up public key authentication:

  1. Generate SSH Key Pair: On your local machine, generate an SSH key pair using the ssh-keygen command. You can use the -b option to specify the key size in bits (e.g., ssh-keygen -b 4096) and the -C option to add a comment to the key (e.g., ssh-keygen -C "your_email@example.com")4. You can choose to protect your private key with a passphrase for added security. While a strong passphrase enhances security, it requires entering it every time you connect. An empty passphrase is less secure but more convenient13.

  2. Copy Public Key to Server: Copy the contents of your public key file (~/.ssh/id_rsa.pub) to the ~/.ssh/authorized_keys file on the server. You can use the ssh-copy-id command for this purpose (e.g., ssh-copy-id user@remote_host)14. If ssh-copy-id is not available, you can copy the public key manually using scp or by directly editing the authorized_keys file on the server14. Ensure that the .ssh directory and the authorized_keys file have the correct permissions (700 for .ssh and 600 for authorized_keys)1.

  3. Disable Password Authentication: Once you have set up public key authentication, consider disabling password authentication in the SSH configuration file (/etc/ssh/sshd_config) by setting PasswordAuthentication no to prevent brute-force attacks11. This significantly reduces the risk of unauthorized access.

  4. Manage SSH Keys:

  5. Safeguard Private Keys: The private key is like a password and should be treated as such. Never share it or transmit it over insecure networks. Consider encrypting it with a passphrase for additional security3.

  6. Regularly Audit SSH Keys: Regularly audit your SSH keys to ensure they are still valid, secure, and necessary. This prevents the buildup of unused or insecure keys over time3.

  7. Back up and Delete Private Key: It's recommended to back up your private key to a secure location and then delete it from the local system after adding it to ssh-agent. This provides an extra layer of security as the private key cannot be retrieved from the agent if a strong algorithm is used15.

  8. Use ssh-agent: The ssh-agent is a program that holds your private keys in memory, so you don't have to enter your passphrase every time you use your key. To add your private key to ssh-agent, use the ssh-add command16. You can list public key parameters of all identities with the -L option (e.g., ssh-add -L) and delete identities with the -D option (e.g., ssh-add -D). To kill the ssh-agent process, you can use the trap command (e.g., trap "kill $SSH_AGENT_PID" 0)16.

  9. Administrator Accounts: For administrator accounts, use the administrators_authorized_keys file in C:\ProgramData\ssh\ instead of the per-user authorized_keys file15.

  10. Azure DevOps: If you're using SSH keys with Azure DevOps, note that only RSA SSH keys are supported17.

Use a Bastion Host

For enhanced security, consider using a bastion host or a jump server. This is a dedicated server that acts as an intermediary for accessing your internal network. It provides an extra layer of security by limiting direct access to your Ubuntu server3.

Using a VPN for Additional Security

A VPN (Virtual Private Network) adds an extra layer of security by encrypting all traffic between your computer and the server, even over public Wi-Fi networks. This is particularly useful when accessing your server from untrusted networks. VPNs can also help bypass geo-blocking, allowing you to access your server from locations where it might be restricted18. However, keep in mind that VPNs can introduce performance overhead and might raise privacy concerns depending on the VPN provider.

To set up a VPN for remote server access:

  1. Choose a VPN Provider: Select a reputable VPN provider that meets your needs and budget. Consider factors like security features, server locations, logging policies, and user reviews when making your choice.

  2. Install VPN Client: Install the VPN client software on your local machine. Most VPN providers offer clients for various operating systems, including Windows, macOS, and Linux.

  3. Configure VPN Connection: Configure the VPN connection on your user device. This typically involves entering the server address or hostname, VPN type (e.g., L2TP/IPsec, OpenVPN), and authentication details (e.g., username, password, pre-shared key). You might also need to configure firewall rules to allow VPN traffic18.

  4. Connect to VPN: Connect to a VPN server that provides access to your Ubuntu server.

  5. Access Server via SSH: Once connected to the VPN, you can access your server via SSH as usual.

Some public networks may block VPN connections20. If you encounter difficulties with VPN, you can consider using remote desktop software like HelpWire, TeamViewer, or AnyDesk as an alternative. These programs automatically route traffic and connect computers across different networks without needing a VPN setup22.

When setting up a VPN, it's important to understand the difference between static and dynamic IP addresses. A static IP address never changes, while a dynamic IP address can change over time. If your server has a dynamic IP address, you might need to use a dynamic DNS service to keep track of its changing IP address and ensure that your VPN connection can always reach it19.

Protecting Against Brute-Force Attacks with Fail2ban

Fail2ban is an intrusion prevention software that protects your server from brute-force attacks by monitoring log files and automatically banning IP addresses that show suspicious activity, such as multiple failed login attempts. It works by dynamically updating firewall rules to block the offending IP addresses23.

To install and configure Fail2ban on your Ubuntu server:

  1. Install Fail2ban:Bashsudo apt install fail2ban

  2. Configure Fail2ban: The main Fail2ban configuration file is /etc/fail2ban/jail.conf. However, it's recommended not to modify this file directly. Instead, create a separate file called jail.local or use individual files within the jail.d/ directory for customizations23. To create jail.local, copy the jail.conf file:Bashsudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localThen, edit the jail.local file using a text editor:Bashsudo nano /etc/fail2ban/jail.localIn the jail.local file, you can adjust settings such as bantime, maxretry, and findtime24. You can also use the ignoreip directive to whitelist IP addresses that should not be banned.

| Option | Description | Default Value | | :--------------- | :--------------------------------------------------------------------------- | :------------ | | enabled | Jail status (true/false) - This enables or disables the jail. | true | | port | Port specification. | ssh | | filter | Service-specific filter (Log filter) | sshd | | logpath | What log to use. | | | maxretry | Number of attempts to make before a ban. | 3 | | findtime | Amount of time between failed login attempts. | 300 | | bantime | Number of seconds an IP is banned for. | 3600 | | ignoreip | IP to be allowed. | 127.0.0.1 |




[24]Fail2ban uses "jails" to configure rules for different services. You can add custom jails for other services beyond SSH[25]. Fail2ban also uses "filters" to define patterns for matching log entries. You can add custom filters to match specific log formats or events[25].When adjusting Fail2ban settings, remember that stricter settings increase security but also increase the risk of false positives, potentially blocking legitimate users[25].

  1. Enable and Start Fail2ban:Bashsudo systemctl enable fail2bansudo systemctl start fail2banYou can check the status of a Fail2ban jail using the fail2ban-client status command (e.g., sudo fail2ban-client status sshd). To unban an IP address, use the fail2ban-client unban command (e.g., sudo fail2ban-client unban <ip-address>)26.

Regularly Update Server Software

Keeping your server software up to date is crucial for security. Regularly update all packages, including the SSH server itself, to patch known vulnerabilities and ensure you have the latest security features11. Before configuring automatic updates, ensure that all applications running on the server can restart correctly after unplanned downtime or a reboot27.

You can use the following commands to update your Ubuntu server:


Bash



sudo apt updatesudo apt upgrade

To update a single package, use sudo apt install <package-name>. To install upgrades for already installed packages only and ignore requests to install new packages, use sudo apt --only-upgrade install <package-name>28.

To see a list of available updates, use sudo apt list --upgradable. To list all possible versions of packages that can be installed or updated, use sudo apt list --all-versions --upgradable28.

You can use apt-get cache policy <package-name> to identify the repository from which a package update is coming. To install only security updates, you can use the following command:


Bash



sudo apt-get -s dist-upgrade | grep "^Inst" | grep -i securi | awk -F " " {'print $2'} | xargs sudo apt-get install -y

29

Automatic Updates

Ubuntu provides the unattended-upgrades package to automatically install security updates30. To configure automatic updates, edit the /etc/apt/apt.conf.d/50unattended-upgrades file. You can also enable automatic reboots after updates, but this might cause downtime27. To test automatic upgrades without making any actual changes, use the --dry-run option with the unattended-upgrades command (e.g., sudo unattended-upgrades --dry-run). For more detailed output during the dry run, use the --debug option (e.g., sudo unattended-upgrades --dry-run --debug)30.

You can also enable automatic updates using the GUI "Software Updater" tool28.

Automatic updates offer several benefits:

  • Patching security vulnerabilities: Ensures security patches are applied promptly.

  • Saving time: Eliminates the need for manual intervention.

  • Bug fixes: Automatically installs bug fixes for existing software.

  • Performance improvements: Includes performance enhancements in updates.

  • Access to new features: Provides access to new features and functionalities.

30

Kernel Updates

If you are willing to tolerate some downtime, you can update your kernel by including it in your unattended apt updates and rebooting the server27.

To avoid downtime during kernel upgrades, you can use live kernel patching. This feature allows you to implement kernel updates without rebooting. Canonical provides the Livepatch Service for Ubuntu, and KernelCare supports Ubuntu and other Linux distributions27.

Other Update Tools

  • Snap: Snap is another Ubuntu package manager that runs alongside apt. Snaps can be pinned to a specific version and refreshed manually using the snap refresh command29.

  • Landscape: Landscape is a management tool that can be used to manage package managers like apt at scale29.

  • Pro Client: Ubuntu Pro users can use the pro command-line tool for vulnerability and remediation-focused patching29.

Conclusion

Securely accessing your Ubuntu server remotely is crucial in today's environment. By enabling and configuring SSH with the security best practices outlined in this article, you can significantly reduce the risk of unauthorized access and protect your server from potential threats. Remember to use strong passwords, enable 2FA, disable root login, change the default SSH port, limit user access, and use public key authentication. Regularly updating your server's software and security patches, including the kernel, is essential for maintaining a secure environment. Consider using additional security measures like VPNs and Fail2ban for enhanced protection. With a properly configured SSH server and a proactive approach to security, you can confidently manage your Ubuntu server from anywhere in the world.

Works cited

1. How to Enable and Secure SSH on Ubuntu? Quick and Easy Steps | Cherry Servers, accessed on February 17, 2025, https://www.cherryservers.com/blog/how-to-enable-and-secure-ssh-on-ubuntu-quick-and-easy-steps

2. How to Enable SSH on Ubuntu 24.04 - Greenwebpage Community, accessed on February 17, 2025, https://greenwebpage.com/community/how-to-enable-ssh-on-ubuntu-24-04/

3. SSH Security Best Practices: Protecting Your Remote Access Infrastructure - Tailscale, accessed on February 17, 2025, https://tailscale.com/learn/ssh-security-best-practices-protecting-your-remote-access-infrastructure

4. Advanced SSH Configuration and Security Best Practices - jadaptive, accessed on February 17, 2025, https://jadaptive.com/java-ssh-library/advanced-ssh-configuration-and-security-best-practices/

5. How to Disable SSH Login for the Root User | VeeroTech KnowledgeBase, accessed on February 17, 2025, https://www.veerotech.net/kb/how-to-disable-ssh-login-for-root-user/

6. How (and Why) to Disable Root Login Over SSH on Linux - How-To Geek, accessed on February 17, 2025, https://www.howtogeek.com/828538/how-and-why-to-disable-root-login-over-ssh-on-linux/

7. 5 Best Practices for Securing SSH - Teleport, accessed on February 17, 2025, https://goteleport.com/blog/5-ssh-best-practices/

8. How do I restrict a specified SSH user to connect only from one IP or hostname?, accessed on February 17, 2025, https://askubuntu.com/questions/649796/how-do-i-restrict-a-specified-ssh-user-to-connect-only-from-one-ip-or-hostname

9. HOWTO: Restrict ssh access by IP Address and/or username - Recital, accessed on February 17, 2025, https://www.recitalsoftware.com/blogs/177-howto-restrict-ssh-access-by-ip-address-and-or-username

10. Limit SSH Access to Specific Clients by Address | Baeldung on Linux, accessed on February 17, 2025, https://www.baeldung.com/linux/ssh-access-clients-address

11. Secure Your Linux SSH Connections: Best Practices and Tips - SecOps® Solution, accessed on February 17, 2025, https://www.secopsolution.com/blog/secure-your-linux-ssh-connections

12. Top 18 Tips to Secure SSH on Linux | Blumira, accessed on February 17, 2025, https://www.blumira.com/blog/secure-ssh-on-linux

13. SSH Public Key Authentication: How to Configure - phoenixNAP, accessed on February 17, 2025, https://phoenixnap.com/kb/ssh-with-key

14. How to Set Up SSH Keys on Ubuntu 20.04 | Guide - CloudPanel, accessed on February 17, 2025, https://www.cloudpanel.io/tutorial/set-up-ssh-keys-on-ubuntu-20-04/

15. Key-based authentication in OpenSSH for Windows - Microsoft Learn, accessed on February 17, 2025, https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement

16. How To Set up SSH Keys on a Linux / Unix System - nixCraft, accessed on February 17, 2025, https://www.cyberciti.biz/faq/how-to-set-up-ssh-keys-on-linux-unix/

17. Use SSH key authentication - Azure Repos | Microsoft Learn, accessed on February 17, 2025, https://learn.microsoft.com/en-us/azure/devops/repos/git/use-ssh-keys-to-authenticate?view=azure-devops

18. How to Configure a Remote Access VPN Connection - Jotelulu, accessed on February 17, 2025, https://jotelulu.com/en-gb/support/tutorials/setup-remote-vpn-connection/

19. How to Setup a VPN to Access Your Office Files Remotely - Silent Partner Software, accessed on February 17, 2025, https://www.societ.com/blog/nonprofit-data-management/how-to-setup-a-vpn-to-access-your-office-files-remotely/

20. A Guide to Using a VPN Connection When Working from Home | CMIT Solutions Tribeca, accessed on February 17, 2025, https://cmitsolutions.com/tribeca-ny-1166/blog/a-guide-to-using-a-vpn-connection-when-working-from-home/

21. How to install and configure Remote Access (RAS) as a VPN server | Microsoft Learn, accessed on February 17, 2025, https://learn.microsoft.com/en-us/windows-server/remote/remote-access/get-started-install-ras-as-vpn

22. Remote desktop connection via VPN - Microsoft Community, accessed on February 17, 2025, https://answers.microsoft.com/en-us/windowsclient/forum/all/remote-desktop-connection-via-vpn/51d70117-d366-4bd9-8f79-478ea84c8cb2

23. How to Prevent SSH Brute-Force Attacks on Linux Using Fail2ban - VPS Mart, accessed on February 17, 2025, https://www.vps-mart.com/blog/prevent-ssh-brute-force-attacks-on-linux-using-fail2ban

24. How to Use Fail2Ban for SSH Brute-force Protection | Linode Docs, accessed on February 17, 2025, https://www.linode.com/docs/guides/how-to-use-fail2ban-for-ssh-brute-force-protection/

25. (Plesk for Linux) Protection Against Brute Force Attacks (Fail2Ban), accessed on February 17, 2025, https://docs.plesk.com/en-US/obsidian/administrator-guide/server-administration/plesk-for-linux-protection-against-brute-force-attacks-fail2ban.73381/

26. How to Prevent SSH Brute Force Attacks with Fail2ban | Ruan Bekker's Blog, accessed on February 17, 2025, https://ruan.dev/blog/2025/01/24/how-to-prevent-ssh-brute-force-attacks-with-fail2ban

27. How to Keep Ubuntu 20.04 Servers Updated - DigitalOcean, accessed on February 17, 2025, https://www.digitalocean.com/community/tutorials/how-to-keep-ubuntu-20-04-servers-updated

28. Ubuntu 22.04/20.04 update installed packages for security - nixCraft, accessed on February 17, 2025, https://www.cyberciti.biz/faq/ubuntu-20-04-update-installed-packages-for-security/

29. 3 ways to apply security patches in Linux - Ubuntu, accessed on February 17, 2025, https://ubuntu.com/blog/3-ways-to-apply-security-patches-in-linux

30. How to Set up and Enable Automatic Updates on Ubuntu - phoenixNAP, accessed on February 17, 2025, https://phoenixnap.com/kb/automatic-security-updates-ubuntu


Feb 17

14 min read

0

0

0

Related Posts

Comments
Share Your ThoughtsBe the first to write a comment.
bottom of page