What are best practices for accessing my EC2 Linux instance securely using SSH while avoiding unauthorized access?
Last updated: 2021-10-05
I want to access my Amazon Elastic Compute Cloud (Amazon EC2) instance using SSH. What are best practices for keeping my instance secure and avoiding unauthorized access when using SSH?
Note: Run the following commands with root privileges. Run the sudo -i command to become the root user.
Don't allow the root user to use an SSH terminal
By default, Amazon-provided AMIs and most vendors from the AWS Marketplace don't allow the root user to log in from an SSH terminal. If your instance allows the root user to log in, then follow the steps below to deny access.
1. Add an * (asterisk) to the password field in the /etc/shadow file to invalidate the root user's password:
Edit the file with vipw -s.
The first line is usually the root user's line. Change the root user's line as follows:
2. Edit the SSH daemon's config file using an editor such as the vi editor:
Make sure that the following line is present and uncommented. This line denies login permission to the root user.
3. Restart the SSH daemon:
systemctl restart sshd
For information on other parameters of the PermitRootLogin option, see 'sshd_config' man page.
Be sure that all users log in with an SSH key pair, and then deactivate password authentication
The default configuration for Amazon provided AMIs is logging in with an SSH key pair with password authentication deactivated. This is because using a password opens your instance to security risks such as brute force attacks. Weak passwords can be cracked to gain access.
So, if you altered your instance to use a password, revert to the default configuration using the following commands:
1. Use the vi editor, or editor of your choice, to access the sshd_config file:
2. Verify that the following line is present and uncommented:
3. Restart the SSH daemon:
systsemctl restart sshd
Note: Make sure that you have key pairs installed before you deactivate password authentication. This prevents you from losing SSH access to the EC2 instance. Each user needs their public keys inserted in the path ~/.ssh/authorized_keys. For more information on key-based logins, see Amazon EC2 key pairs and Linux instances.
Restrict access from unknown sources
For public instances, leaving the SSH port open and unrestricted might allow intrusions if misconfigurations exist or if there are unexpected software vulnerabilities. To help prevent intrusions, follow these best practices:
1. Keep the SSH daemon updated to the latest version supplied by your Linux distribution maintainer. Often the SSH daemon receives backport updates from later releases from the upstream provider. For more information on backporting, see Backporting security fixes on the Red Hat Customer Portal website.
yum -y install openssh-server # for Amazon Linux, RHEL, Centos apt update && apt install openssh-server # For Ubuntu, Debian
2. Restrict your security group to allow incoming connections to port 22 from trusted IPs only, such as corporate network IPs. For more information, see Authorize inbound traffic for your Linux instances.
3. Some intruders might try to guess user names and passwords, or might try to overflow your SSH daemon if port 22 is opened to the world. The utility fail2ban monitors your log files for constant attempts to log in to your instance and then blocks the attempts after a few unsuccessful attempts. To install fail2ban:
apt -y install fail2ban
Amazon Linux, CentOS, RHEL:
Run the following commands:
yum -y install fail2ban systemctl enable fail2ban systemctl start fail2ban
For details on how to configure fail2ban, see Linux security: Protect your systems with fail2ban on the Red Hat website.
Use AWS Systems Manager Session Manager for shell access to EC2 instances
Session Manager allows AWS Identity and Access Management (IAM) users to log in to your instances with encryption and logging capabilities. Systems Manager's traffic goes through the Systems Manager Endpoint, allowing easy and secure access to private instances without opening inbound ports. For more information about Session Manager, see AWS Systems Manager Session Manager for shell access to EC2 instances.
Use EC2 Instance connect for shell access to EC2 instances
Amazon EC2 Instance Connect allows you to connect to your Linux instances using Secure Shell (SSH) using IAM roles and policies. For more information about EC2 Instance connect, see Connect to your Linux instance using EC2 Instance Connect.
Note: EC2 Instance connect is supported in the following distributions:
- Amazon Linux 2 (any version)
- Ubuntu 16.04 or later