How to make SSH more secure.

NobleCloud

NobleCloud

New member
Some of you probably already know this, but in case you don't, I discovered this yesterday.

SSH (or Secure Shell) is basically a way of controlling your entire server from the command line. Root users can install and uninstall software, change configuration settings, and even remote reboot the server.

However, by default, all it requires to access it is a username and password that has Shell Access (normally the root user). If someone discovers, or sniffs out, those login credentials then they have instant access to your server. This is not what you really want is it?!

So, if you have WHM on your server (this is just an example...you can do it without WHM), you can login as the root user and set your SSH security to require an SSH key file in order to work. You'll still have to enter your username and password but you will also have to upload your key file into the SSH remote console in order to login otherwise even the root user won't be able to log in.

This will increase your security and reduce your chances of someone hacking your server over SSH. This is a basic example of protection. :)

Of course, there are loads of other ways you can make your server more secure. The best one, perhaps, being a firewall. ConfigServer is a good one and it's free. What's more if you have cPanel or WHM it has a special UI that you can control the entire firewall directly from WHM via the plugin it installs. This makes life a lot easier as you would otherwise have to set it up from the command line.
 
Turn off root login. Limit access to only users that need it. Use sudo.

vi /etc/ssh/sshd_config

uncomment

PermitRootLogin

then set it to no

PermitRootLogin No

Make sure you can login and switch to root before you do this or you will not be able to access your server.

After making changes to /etc/ssh/sshd_config restart SSH
in redhat based Operating Systems do
service sshd restart

to enable sudo on redhat base oses do visudo and make the needed changes.

To limit by user in /etc/ssh/sshd_config add this to the end

AllowUsers username

Restart SSH when changes are made.

Good luck!
 
Definitely kill the root access and password authentication on the server.

The keys are a great tool step in the right direction, but kill the root. make a user that you have to log in with and then SUDO to root - much more secure.

For us, we use both the keys and the user method. We also set designated IPs so that if the login doesn't come from "X" IP number, the login will be rejected. Of course, if you go that route, you better have more than 1 IP that can access (just incase your IP gets blocked or changed).

Good step in the right direction with the keys, just take the next step and you'll be more secure.
 
handsonhosting said:
Definitely kill the root access and password authentication on the server.

The keys are a great tool step in the right direction, but kill the root. make a user that you have to log in with and then SUDO to root - much more secure.

For us, we use both the keys and the user method. We also set designated IPs so that if the login doesn't come from "X" IP number, the login will be rejected. Of course, if you go that route, you better have more than 1 IP that can access (just incase your IP gets blocked or changed).

Good step in the right direction with the keys, just take the next step and you'll be more secure.
Click to expand...

mhmmm...designated IPs. How would I set that up? Sounds good. :)
 
You can set it up in CSF using the firewall. Basically you'll use the iptables function to restrict access to port 22 to only allow from a certain IP number. Of course you did change from the default port 22 also right? Don't need hackers attempting to hijack the port.

You can also do something like this:

In /etc/hosts.allow add the line:
sshd: xxx.xxx.xxx.xxx

In /etc/hosts.deny add the line:
sshd: ALL

That'll block anyone if they're not from the defined IP in the hosts.allow list.
 
Refer to post #4. Strongly recommend multiple IPs allowed to access the server - or at the very least, KVM access so updates could be made if needed.
 
A non standard port is only a mask and should not be considered SECURITY. A port sniffer will easily be able to find which port the SSH is running on (or someone posting about sFTP information). Granted, it's better than leaving the port open for port 22, but it shouldn't be considered "secure"
 
CSF (Config server firewall) is the best way, I guess you do not need after its installation and setting rules.

Also, use strong passwords. Use small, capital letters, numbers and symbols in your password.
 
handsonhosting said:
Definitely kill the root access and password authentication on the server.

The keys are a great tool step in the right direction, but kill the root. make a user that you have to log in with and then SUDO to root - much more secure.

For us, we use both the keys and the user method. We also set designated IPs so that if the login doesn't come from "X" IP number, the login will be rejected. Of course, if you go that route, you better have more than 1 IP that can access (just incase your IP gets blocked or changed).

Good step in the right direction with the keys, just take the next step and you'll be more secure.
Click to expand...

More or less what I do, except I'm not fond of allowing only certain IP's since I'm often on the move + at home I have a dynamic IP, so obviously that would cause some problems ;p
 
I'd do the following if your not using keys to login;

alter the servers ssh port
lock ssh access to admins static IP's only
create a sub user to ssh in
setup email alerts for any SSH login
of course utilise a strong password.

I hope this helps, good luck.
 
I prefer a random port and then disable root, and setup users, once a user is in, they can jump to root 'su root' I find this easier.
Then only allow access from our internal network :)

All good, then you need to crack more than one network.


All depends how you want to go :)
 
You must log in or register to reply here.

Supporters

Back
Top