Penetration Testing

Multiple Ways to Secure SSH Port

Secure Shell (SSH) is defined as a network protocol to operate network services securely over an unsecured network. The standard TCP port for SSH is 22. The best application of SSH is to remotely login into computer systems by users.

This article will be explaining about the network securities which help the network administrator to secure the service of SSH on any server through multiple ways.

 Methods Used:

  1. Port Forwarding
  2. Disable Password-Based Login And Using PGP Key (Public Key)
  3. Disable Root Login and Limit SSH User’s Access
  4. Google Authenticator
  5. Time Scheduling
  6. Disable Empty Passwords

Before moving on, Let us first install an SSH server on our client machine using the following command.

sudo apt-get install openssh-server

Port Redirection

Once the SSH services are configured and running, we can begin with our first security measure which is Port Forwarding. Upon initiating the scan on the client’s machine IP address using nmap, it shows that SSH is running on Port 22.

Navigate to /etc/ssh and we will find a file named sshd_config in the client’s machine.

cd /etc/ssh

Open the file sshd_config using nano command.

Now change the port 22 to port 2222 as shown in the below screenshot and save the changes made in the sshd_config file. Hence, in this way we have forwarded the port from 22 to 2222.

Now to confirm port forwarding, we will again scan the Client’s IP address using nmap

nmap 192.168.1.104

The output of the nmap shows that TCP port 2222 is opened; however, shows EthernetIP-1 in the service description which doesn’t give an exact description of the service running. So we will run the following nmap command with version detection option

nmap -sV 192.168.1.104

With the next output of nmap, it is clearly visible that SSH services are running on TCP Port 2222 along with the description of the OpenSSH version.

Secure With Public Key

To begin with this security measure we need to download and install PuTTY Key Generator.

Note: PuTTYgen is a key generator tool for creating SSH keys for PuTTY and stores keys in its own format ( .ppk extension)

Open it and Click on Generate.

Clicking on Generate will initiate the process of generating a Public and Private Key, as shown in the image.

Once Public and Private Key are generated, click on Save Private Key. This will save the key as a Public Key.

Now open the Ubuntu terminal of our server and type ssh-keygen.

The above command will create a folder named .ssh and then create an empty text file with the name authorized_keys in the same folder. After that copy the “ssh_login.ppk” file which was created using PuTTy Key Generator previously and paste it into the .ssh folder as shown in the image.

In the terminal, move into the .ssh folder and type the following command:

puttygen -L "ssh_login.ppk"

This command will open the key.

Now copy this key and paste it in the empty file named authorized_keys using nano command and save it.

Now open the putty configuration tab, then go to Session tab and give the IP Address & Port Number of your Clients Machine were ssh server is configured.

Now go to data and give Auto-login username.

Navigate to SSH>Auth and give the path of the ssh_login.ppk file (the public key that was generated earlier) and then click Open.

It will simply use the public key to Login into SSH Server without asking for Password.

Open the sshd_config file in /etc/ssh using gedit command. Here we will make changes in line #PasswordAuthentication as shown in the image.

Current configuration

#PasswordAuthentication yes

Now we will edit parameter value yes to no and remove the # (hash) as shown in the below image. Once done save the changes made. These changes will disable any user to log into SSH Server using the password.

PasswordAuthentication no

As you can see these settings have disabled password based login and is indeed asking for a Public Key to log in.

Disable Root Login and Limit SSH User’s Access

To begin with, this security measure you need to make some new User’s using adduser command (New User’s We have Created: h1,h2,h3,h4) then make changes in the sshd_config file in /etc/ssh using gedit command. Type the Following Lines under #Authentication:

#No root login allowed (h2 can log in as sudo –s)

PermitRootLogin no

## only allow 1 users h2 (sysadmin)

AllowUsers h2

Remember to save the changes made. This will disable Root Login and will allow the only h2 user to log into ssh server remotely.

As you can see the only h2 user is able to successfully log into SSH Server, where h1 and h3 users permission to log into SSH Server is denied.

 Google Authenticator

To begin with the two-factor authentication over SSH Server, you need to download the google authenticator application on your phone and also install the required dependency package for Ubuntu using the following command:

sudo apt-get install libpam-google-authenticator

NOTE-The installation of google authenticator will as ask a couple of questions give Yes for every question asked.

After the installation is completed. Open terminal and type command:

google-authenticator

We will see a barcode. Scan it using the google authenticator application on your phone.

Once the application has scanned the barcode, it will start generating One Time Password’s as shown in the image.

Now open sshd file in /etc/pam.d using gedit command and make the following changes:

  1. Add # to @include common-auth
  2. Add Line (auth required pam_google_authenticator.so) under @include common-password

As shown in the image.

Now open the sshd_config file in /etc/ssh using gedit command and make the following changes.

ChallengeResponseAuthentication yes

When we log into SSH Server it will prompt for a verification code, Here we have to enter the One Time Password generated on our google authenticator application. As you can see we have successfully logged into SSH Server using One Time Password.

Time Scheduling

In this security measure, we are going to set the time limit on SSH service on the server.

Cron is a built-in service of Linux to schedule task, which enables a job (command or script) on the server to run automatically over specified time and date.

Here we are going to schedule SSH services using crontab

We had open crontab in /etc using nano command. Now lets schedule ssh service in a way that it will start for every 2nd minute and will get stop after every 4th minute. The command used to schedule the SSH Service are given below:

*/2 * * * * root service ssh start
*/4 * * * * root service ssh stop

Save the changes made in the file.

Wait for service to reboot. Using nmap we have scan port 22.

nmap -p 22 192.168.1.104

After running the scan, we will observe that ssh service on port 22 is CLOSED because it is the 4th minute which has started.

Now if our command is working properly it should start itself on every 2nd minute, to confirm it we will again initiate a scan using nmap.

nmap –p 22 192.168.1.104

As we can see that the port is in the OPEN state now.

Disable Empty Password

In this security measure, as a best practice; one should always disable empty password login to the SSH Server. To enable this setting we need to open the sshd_config file using gedit command and make the following changes:

PermitEmptyPasswords No

These changes will simply disable empty password login’s into SSH Server.

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. See’s things from a different angle and an out of the box thinker. Contact Here