A quick guide to basic SSH setup on your Debian server: Mastering sshd_config

Often, inexperienced users who have rented a server for the first time do not know how to connect to it. And even when, using the Internet, they learn about what SSH is and how to use it to access the server, not everyone thinks about security.
But protecting your server is of paramount importance, and one of the most important aspects of server security is the correct SSH (Secure Shell) configuration. SSH allows you to establish a secure and encrypted connection to your Debian server for remote access and administration. In this quick tutorial, we'll walk through the sshd_config configuration file, explore the most important options, and provide practical examples to help you increase the security and functionality of your SSH service.

sshd_config - is the main configuration file for the SSH server daemon (sshd). It resides in the /etc/ssh/ directory and governs various aspects of the SSH service. By customizing sshd_config, you can control authentication methods, manage user access, and improve overall security.

Connection options.

1. The first thing that is always recommended to do after you have installed the operating system on the VPS or Dedicated server is to change the SSH port number. As is already clear from the title and context of our post, we will do this in the configuration file. Open it and find the line:

#Port 22

Uncomment it (remove the pound sign at the beginning of the line) and change the time number, for example, to 2222:

Port 2222

2. The PermitRootLogin parameter determines whether the root user is allowed to log in directly via SSH. It is recommended to disable direct root login and use a non-root user instead. Set it to "no" as follows:

PermitRootLogin no

3. Enabling PubkeyAuthentication allows users to authenticate using public key cryptography, significantly enhancing security. Generate an SSH key pair, upload the public key to the server, and modify sshd_config:

PubkeyAuthentication yes

4. AllowUsers and DenyUsers. These parameters control which users are allowed or denied SSH access. Specify usernames separated by spaces. For example, to allow only "user1" and "user2" access, add the following lines:

AllowUsers user1 user2

To deny access to specific users, use DenyUsers in the same way.

5. AllowGroups and DenyGroups. Similarly, AllowGroups and DenyGroups provide access control based on group membership. Specify group names separated by spaces. For example, to allow access to the "admins" group, add the line:

AllowGroups admins

Session and Connection Settings.

1. ClientAliveInterval and ClientAliveCountMax. These parameters manage idle SSH sessions. ClientAliveInterval sets the time in seconds after which the server sends a null packet to the client to check if it is still active. ClientAliveCountMax determines the maximum number of unanswered messages before the server terminates the connection. For example:

ClientAliveInterval 120
ClientAliveCountMax 3

 

2. TCPKeepAlive. Enabling TCPKeepAlive allows the server to detect dead TCP connections and close them. Add the following line to activate this feature:

TCPKeepAlive yes

Some advanced Security Settings.
1. PermitEmptyPasswords. It is highly recommended to disallow empty passwords to prevent unauthorized access. Ensure the following line is present and commented out or set to "no":

# PermitEmptyPasswords no

2. PasswordAuthentication. To enforce SSH key-based authentication and disable password authentication, set the PasswordAuthentication parameter to "no":

PasswordAuthentication no

3. LoginGraceTime. LoginGraceTime specifies the time in seconds a user has to authenticate after establishing an SSH connection. Setting a shorter time can mitigate the risk of brute-force attacks. Modify the line as desired, e.g.:

LoginGraceTime 30s

 

Apply settings.

To apply the settings that you have made to the file, you must first save and close it.
Then in the console you need to type the command:

service sshd restart

,after which this service will be restarted with new settings

 

You can read more about sshd_config file here.

Never neglect the server security settings, including the SSH setting, since every server, as soon as it appears on the network, instantly becomes the object of scanning and automatic hacking attempts, first by bots, and then manually.
Therefore, be vigilant, never leave the server unconfigured otherwise it will quickly cease to be YOUR server :)

 

If you have any additional questions on the topic of setting up SSH - please ask them in the comments - we will answer all questions.