While the SSH protocol might be secure on its own, there are a few things that can be done to ensure that security. One of the main methods for attacking SSH is a brute-force attack. This method only works if port is known by the attacker, typically gleaned from a port scan. It is typical for scanner bots to only scan for certain ports being open such at the default for SSH which is port 22. The attacker might also employ a different approach which is port scanning, typically only the first 1000 or so ports since scanning all the ports can take a rather long time if you wish to scan multiple IPs. Therefore one of the simplest methods for mitigating port scanning is to change your SSH port to something over 40000, well outside the range of what would be reasonable to scan for most bots. Although changing the port number may help the best way to prevent intrusions is to make SSH only accessible with a key pair. This article will explain both methods, the first one is much easier but far less secure, the second should be the default for connecting over SSH since the attack surface on SSH is realistically removed.

This tutorial is targeted towards Ubuntu 16.04 LTS, other distros maybe have slight nuances but the process should remain the same.

For setting up an sftp server with secure, separated users shares, follow this guide: Create Secure SFTP Server with User Jails

Install and enable ssh if not installed already.

sudo apt install ssh
sudo systemctl enable ssh

Configure ssh to run on a different port

nano /etc/ssh/sshd_config

Change the number after Port on line five to something over 40000. Example:

# What ports, IPs and protocols we listen for
Port 22  <= Change this line
# Use these options to restrict...

Make the key on a seperate machine that the one you wish to connect to. It will ask you to name the key and enter a passphrase if you choose to do so.

ssh-keygen -t rsa -b 4096

Copy the key to the server. If you have already changed the default ssh port then you will need to specify it.

ssh-copy-id <username>@<host> -p <port number>

More information and troubleshooting options can be found https://help.ubuntu.com/community/SSH/OpenSSH/Keys and https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2

Example:

$ sftp USERNAME@x.x.x.x:/dir

The syntax for denoting the port number for sftp is not the same as for ssh for some reason

$ ssh USERNAME@x.x.x.x -p PORT
$ sftp -P PORT USERNAME@x.x.x.x:/dir

To add an sftp in fstab and have it automount at boot is a problem I have yet to solve while only changing fstab mount options. The sample fstab entry will work fine when “$ sudo mount -a” is run. To do this you will first need to generate and copy an ssh key to the server you are trying to connect to, outlined in the above sections. Then all you need to do is add the folling line to your /etc/fstab.

USERNAME@x.x.x.x:/remote dir      /local mount dir        fuse.sshfs      _netdev,users,idmap=user,IdentityFile=/home/USERNAME/.ssh/id_rsa,allow_other,reconnect   0       0

On host machine, make a passphrase if you wish.

ssh-keygen -t rsa

ssh-copy-id user@x.x.x.x

ssh user@x.x.x.x

On server after logging in

sudo nano /etc/ssh/sshd_config

Modify the following line and test

PermitEmptyPasswords no