# đŸ”’Enhancing SSH Security for a Validator ### **1. Changing the Default SSH Port** By default, SSH runs on **port 22**, making it an easy target for attacks. Changing it to a non-standard port improves security. 1. Open the SSH configuration file: ```bash sudo nano /etc/ssh/sshd_config ``` 2. Find the line: ```plaintext #Port 22 ``` Change it to something like: ```plaintext Port 2222 ``` 3. Save changes (**Ctrl + X → Y → Enter**) and restart SSH: ```bash sudo systemctl restart sshd ``` **Important:** Make sure the new port is allowed in your firewall. ```bash sudo ufw allow 2222/tcp ``` *** ### **2. Disabling Password Authentication** Using passwords makes your server vulnerable to brute-force attacks. SSH keys provide better security. #### **Generating SSH Keys** On your **local computer** (not the server), run: ```bash ssh-keygen -t ed25519 -C "your_email@example.com" ``` This creates private (`~/.ssh/id_ed25519`) and public (`~/.ssh/id_ed25519.pub`) keys. #### **Adding the Key to the Server** Copy the public key to your server: ```bash ssh-copy-id -p 2222 user@your_server ``` Or manually: ```bash cat ~/.ssh/id_ed25519.pub | ssh -p 2222 user@your_server "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" ``` #### **Disabling Password Authentication** Edit the SSH config: ```bash sudo nano /etc/ssh/sshd_config ``` Find and change: ```plaintext PasswordAuthentication no ``` Restart SSH: ```bash sudo systemctl restart sshd ``` *** ### **3. Restricting SSH Access to Specific Users** Limit SSH access to selected users for additional security. In `/etc/ssh/sshd_config`, add: ```plaintext AllowUsers validator_user ``` Restart SSH: ```bash sudo systemctl restart sshd ``` *** ### **4. Enabling Two-Factor Authentication (2FA)** Adding 2FA enhances security with an additional authentication step. 1. Install **Google Authenticator**: ```bash sudo apt install libpam-google-authenticator ``` 2. Run the setup: ```bash google-authenticator ``` Follow the instructions and scan the QR code in the Google Authenticator app. 3. Enable 2FA in SSH:\ Edit `/etc/pam.d/sshd` and add: ```plaintext auth required pam_google_authenticator.so ``` 4. In `/etc/ssh/sshd_config`, enable challenge-response authentication: ```plaintext ChallengeResponseAuthentication yes ``` 5. Restart SSH: ```bash sudo systemctl restart sshd ``` *** ### **5. Limiting Failed Login Attempts** Use **Fail2Ban** to protect against brute-force attacks. #### **Installing and Configuring Fail2Ban** ```bash sudo apt install fail2ban -y ``` Create a configuration file: ```bash sudo nano /etc/fail2ban/jail.local ``` Add: ```plaintext [sshd] enabled = true port = 2222 maxretry = 3 findtime = 600 bantime = 3600 ``` Restart Fail2Ban: ```bash sudo systemctl restart fail2ban ``` *** ### **6. Restricting SSH Access by IP (Whitelist)** If you have a static IP, restrict SSH access to that IP only. Edit `/etc/hosts.allow`: ```plaintext sshd: 192.168.1.100 ``` Block all other IPs in `/etc/hosts.deny`: ```plaintext sshd: ALL ``` *** ### **7. Configuring the Firewall (UFW)** Close unnecessary ports and allow only the SSH port you set. ```bash sudo ufw allow 2222/tcp sudo ufw enable ``` Check firewall status: ```bash sudo ufw status verbose ``` *** ### **8. Monitoring SSH Access** Check active SSH sessions: ```bash who ``` View login attempts: ```bash sudo cat /var/log/auth.log | grep "Failed" ``` *** Now your SSH access is well-protected. The key security measures include **SSH keys instead of passwords, 2FA, Fail2Ban, and firewall rules**. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://services.validexis.com/validator-security-our-approach-and-protection-measures/enhancing-ssh-security-for-a-validator.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.