Exposing a ssh server to the external world is dangerous since the server will receive a lot of login attempts from attackers.
A more secure approach is to expose it with following configs:
WARN: Make sure you can login with a regular user before disabling root login
Set PermitRootLogin to no in /etc/ssh/sshd_config file within your server
sudo vim /etc/ssh/sshd_config
# Disable root login:
...
PermitRootLogin no
...
Then reload ssh config
sudo systemctl reload ssh
This method consists in using ssh keys for login instead of password. For
that we’ll need to put client machines ssh public key into
server’s ~/.ssh/authorized_keys file so that clients can authenticate
using their shh private key
Your client machine may already have existing keys at ~/.ssh/ dir, keys
files usually start with id_ prefix. You can use existing keys or create
a new one (with different name).
Generate ssh keys using ssh-keygen (if not previous key exists or
custom key is desired)
# Run below command and follow on screen instructions
ssh-keygen
# Alternatively specify a custom file name if other key already exists
ssh-keygen -f <custom_key_name>
Add your public key to the server’s ~/.ssh/authorized_keys file
# 'ssh-copy-id' can automate this step
ssh-copy-id [email protected]
# Alternatively if using a custom key file, indicate the identity
ssh-copy-id -i <custom_key_name> [email protected]
Test ssh key auth to verify it works from your client machine
# It should login without asking for user password
ssh [email protected]
Disable password login
WARN: Make sure ssh key login works before disabling password login
Set PasswordAuthentication to no in server’s /etc/ssh/sshd_config file
sudo vim /etc/ssh/sshd_config
# Disable password login:
...
PasswordAuthentication no
...
Then reload ssh config
sudo systemctl reload ssh
Repeat steps for each one of your client machines
As a fallback option you may want to enable password login from internal network only in case you lost your client machine or keys.
SSH allows to override config params using MATCH expressions. Add a
block like below at end of /etc/ssh/sshd_config.
# Settings that override the global settings for matching IP addresses only
Match address 192.0.2.0/24
PasswordAuthentication yes
Use your own home network(s) addresses
Then reload ssh config
sudo systemctl reload ssh
Use following commands to view system authentication activity
sudo last Shows all successful logins and sessions lengthsudo lastb Shows all failed attemps and the source IPcat /var/log/auth.log Shows detailed authentication info