Linux Boards

Strengthening SSH Security on Single Board Computers Running Linux Distros: A Step-by-Step Guide

6 min read
Strengthening SSH Security on Single Board Computers Running Linux Distros: A Step-by-Step Guide
Strengthening SSH Security on Single Board Computers Running Linux Distros: A Step-by-Step Guide

Single board computers (SBCs) powered by Linux distributions are increasingly utilized for diverse applications. However, ensuring the robust security of these devices, especially concerning SSH (Secure Shell) access, is imperative to thwart potential unauthorized access and exploits. In this detailed guide, we’ll delve into comprehensive measures for securing SSH on SBCs running Linux distros, providing explicit commands, code snippets, and configuration samples for each step.

Understanding SSH

SSH is a cryptographic network protocol facilitating secure remote access to computers or servers over unsecured networks. It offers encryption and authentication mechanisms to safeguard data transmission and user credentials from interception and unauthorized access.

Diagram of SSH protocol
Diagram of SSH protocol

For consumers using single board computers (SBCs) at home, whether for personal projects, media centers, or home automation, securing SSH configuration is essential for several reasons:

  1. Protecting personal data: Many users store personal data, including documents, photos, and sensitive information, on their SBCs. Securing SSH helps prevent unauthorized access to this data, safeguarding users’ privacy and confidentiality.

  2. Preventing unauthorized cccess: Home networks are not immune to security threats. Without proper SSH security measures, malicious actors could gain unauthorized access to SBCs, potentially compromising home network security, accessing personal files, or even conducting malicious activities such as launching attacks on other devices on the network.

  3. Safeguarding IoT devices: SBCs are commonly used in DIY home automation projects, controlling smart devices such as lights, thermostats, and security cameras. By securing SSH access, users can prevent unauthorized control or manipulation of these IoT devices, ensuring the integrity and security of their home automation systems.

  4. Mitigating risks of IoT botnets: In recent years, compromised IoT devices have been exploited to form botnets used for launching large-scale cyberattacks. By securing SSH access on SBCs, users can reduce the risk of their devices being hijacked and used as part of botnet armies, contributing to overall internet security.

  5. Preventing unauthorized software installation: With SSH access, users can install, configure, and manage software on their SBCs remotely. However, without proper security measures, unauthorized individuals could exploit this access to install malicious software or make unauthorized changes to the system, potentially compromising the stability and security of the device.

  6. Ensuring family safety: In households with multiple users, securing SSH access helps ensure that only authorized individuals can access and manage the SBC. This prevents accidental or intentional tampering with critical system settings, ensuring the safety and stability of the device for all family members.

Hardening SSH security

Hardening Access to Your Server | Linux Security Tutorial

1. Update system and SSH software

Before fortifying security measures, ensure your SBC’s operating system and SSH software are up-to-date to patch vulnerabilities and enhance security.

sudo apt update
sudo apt upgrade

2. Disable root login

Prevent direct root login via SSH to mitigate potential brute-force attacks. Create a separate user with sudo privileges for administrative tasks.

Edit SSH configuration file.

sudo nano /etc/ssh/sshd_config

Set PermitRootLogin to no.

PermitRootLogin no

Restart SSH service.

sudo systemctl restart sshd.service

3. Implement strong password policies

Enforce robust password policies for SSH users, including minimum length, complexity, and expiration. Utilize passwd to manage user passwords.

sudo passwd <username>

4. Enable two-factor authentication (2FA)

Enhance security with 2FA, adding an extra layer of authentication. Utilize packages like Google Authenticator.

sudo apt install libpam-google-authenticator

Follow the setup prompts.


Edit /etc/pam.d/sshd to enable 2FA.

auth required

5. Configure SSH key-based authentication

Key-based authentication offers superior security. Generate SSH key pairs on the client machine and transfer the public key to the SBC.

Generate SSH key pair.

ssh-keygen -t ed25519 -C 'Description' -f ~/.ssh/id_ed25519

Transfer public key to SBC.

ssh-copy-id -i ~/.ssh/ <username>@<sbc-ip-address>

Disable password authentication in SSH configuration.

sudo nano /etc/ssh/sshd_config

Set PasswordAuthentication to no.

PasswordAuthentication no

Restart SSH service.

sudo systemctl restart sshd.service

6. Restrict SSH access

Limit SSH access to specific IP addresses or networks using firewall rules with ufw.

sudo ufw allow from <trusted-ip-address> to any port 22
sudo ufw enable

7. Change default SSH port

Alter the default SSH port to a non-standard port to deter automated scanning.

Edit SSH configuration file.

sudo nano /etc/ssh/sshd_config

Change Port to desired port (e.g., 2222).

Port 2222

Restart SSH service.

sudo systemctl restart sshd.service

8. Enable SSH logging

Enable SSH logging to monitor and audit access attempts.

Edit SSH configuration file.

sudo nano /etc/ssh/sshd_config

Uncomment or add the following lines.

SyslogFacility AUTH

Restart SSH service.

sudo systemctl restart sshd.service

9. Configure SSH idle timeout

Edit SSH configuration file.

sudo nano /etc/ssh/sshd_config

Add or adjust the following lines.

ClientAliveInterval 300
ClientAliveCountMax 2

Restart SSH service.

sudo systemctl restart sshd.service

10. Disable unused features

Disable features that are not required for your specific use case to reduce the attack surface. Commonly disabled features include X11 forwarding, TCP forwarding, and agent forwarding.

Edit SSH configuration file.

sudo nano /etc/ssh/sshd_config

Disable X11 forwarding.

X11Forwarding no

Disable TCP forwarding.

AllowTcpForwarding no

Disable agent forwarding.

AllowAgentForwarding no

Restart SSH service.

sudo systemctl restart sshd.service

11. Limit User Permissions

Restrict SSH access to specific users or groups to minimize the risk of unauthorized access. Use the AllowUsers or AllowGroups directives to specify permitted users or groups.

Edit SSH configuration file.

sudo nano /etc/ssh/sshd_config

Limit SSH access to specific users.

AllowUsers username1 username2

Or limit SSH access to specific groups.

AllowGroups group1 group2

Restart SSH service.

sudo systemctl restart sshd.service

12. Optimize cryptographic settings

Configure SSH to use strong cryptographic algorithms and key exchange mechanisms to enhance security.

Edit SSH configuration file.

sudo nano /etc/ssh/sshd_config

Restart SSH service.

sudo systemctl restart sshd.service

Disable weak algorithms (e.g., SHA1, MD5).

# Disable weak MAC algorithms
MACs [email protected],[email protected]
# Disable weak key exchange algorithms
KexAlgorithms diffie-hellman-group-exchange-sha256
# Enable strong ciphers
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr

13. Implement rate-limiting for authentication attempts

Mitigate brute-force attacks by configuring SSH to limit the number of authentication attempts per connection or per unit of time.

Install and configure Fail2ban to monitor SSH authentication logs and dynamically block IP addresses that exhibit suspicious behavior.

sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Add or modify the SSH section to enable SSH rate-limiting.

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5

Harden the SSH configuration on your single board computers by disabling unused features, limiting user permissions, optimizing cryptographic settings, and implementing rate-limiting for authentication attempts. These measures collectively strengthen the security of SSH access and help safeguard your SBCs against potential security threats and unauthorized access attempts. Regularly review and update your SSH configuration to adapt to evolving security best practices and mitigate emerging risks effectively.