How to Secure SSH Server on Arch Linux

OpenSSH is a secure shell protocol that provides a secure channel over an unsecured network. It allows the system administrator to manage Linux servers remotely over a secure channel. It works on a client-server architecture and allows users to connect to the SSH server remotely. Unlike unsecured protocols, SSH encrypts the traffic, login sessions, and passwords. OpenSSH is one of the most popular and widely used protocols.

In this post, we will show you how to secure an SSH server on Arch Linux.

Step 1 – Configure Repository

By default, the default repository is outdated in Arch Linux, so you will need to modify the default mirror list. You can do it by editing the mirrorlist configuration file:

nano /etc/pacman.d/mirrorlist

Remove all lines and add the following lines:

## Score: 0.7, United States
Server = http://mirror.us.leaseweb.net/archlinux/$repo/os/$arch
## Score: 0.8, United States
Server = http://lug.mtu.edu/archlinux/$repo/os/$arch
Server = http://mirror.nl.leaseweb.net/archlinux/$repo/os/$arch
## Score: 0.9, United Kingdom
Server = http://mirror.bytemark.co.uk/archlinux/$repo/os/$arch
## Score: 1.5, United Kingdom
Server = http://mirrors.manchester.m247.com/arch-linux/$repo/os/$arch
Server = http://archlinux.dcc.fc.up.pt/$repo/os/$arch
## Score: 6.6, United States
Server = http://mirror.cs.pitt.edu/archlinux/$repo/os/$arch
## Score: 6.7, United States
Server = http://mirrors.acm.wpi.edu/archlinux/$repo/os/$arch
## Score: 6.8, United States
Server = http://ftp.osuosl.org/pub/archlinux/$repo/os/$arch
## Score: 7.1, India
Server = http://mirror.cse.iitk.ac.in/archlinux/$repo/os/$arch
## Score: 10.1, United States
Server = http://mirrors.xmission.com/archlinux/$repo/os/$arch

Save and close the file then update all the package indexes with the following command:

pacman -Syu

Step 2 – Change SSH Default Port

By default, SSH listens on port 22. So it is vulnerable to DDoS attacks. In this case, it would be recommended to change the default SSH port to a port greater than 1024.

To change the SSH port, edit the SSH configuration file.

nano /etc/ssh/sshd_config

Find the following line:

Port 22

And, replaced it with the following line:

Port 8087

Save and close the file then restart the SSH service to apply the changes.

systemctl restart sshd

Step 3 – Disable SSH Root Login

The root user has unlimited access to the file system, so the root account is the most valuable target for hackers. You can disable the SSH root login by editing the SSH configuration file.

nano /etc/ssh/sshd_config

Find the following line:

#PermitRootLogin prohibit-password

Replaced it with the following line.

PermitRootLogin no

Save and close the file then restart the SSH service to apply the changes.

Step 4 – Limit SSH Access

It is also a good practice to grant only limited users access to the SSH server remotely. You can define the allow and deny list via SSH configuration file.

nano /etc/ssh/sshd_config

Add the following line:

AllowUsers user1 user2 user3

Save and close the file, then restart the SSH service to apply the changes.

systemctl restart sshd

Step 5 – Enable Key-based Authentication

It is a good idea to use an SSH key instead of a password to authenticate the SSH server. To do so, first, edit the SSH configuration file and enable the key-based authentication.

nano /etc/ssh/sshd_config

Change the following line:

PubkeyAuthentication yes

Save and close the file then restart the SSH service.

systemctl restart sshd

Step 6 – Disable Password Login

It is also a good idea to disable password authentication and enable key-based authentication.

nano /etc/ssh/sshd_config

Find and change the following line:

PasswordAuthentication no

Save and close the file, then restart the SSH service to apply the changes.

systemctl restart sshd

Conclusion

In this post, we explained how to secure an OpenSSH server on Arch Linux. I hope this guide will help you to secure your SSH server in a production environment. You can secure the SSH server on VPS server hosting from Atlantic.Net!