There are a few ways to sort server security, but one of the major ways to harden your server is to secure SSH. On a default machine you login as root directly, on the default port. This means you are susceptible to brute force and all other sorts of attacks. What I am going to write about is a short and simple guide about how to secure your SSH and what this does. You don’t have to do all of these although I would deeply recommend doing the steps below.
1. Changing SSH Protocol
I guess a good place to start would be what are the differences between the two SSH protocols (1 and 2), as not many people know this. You don’t need to know, but I think that you should know the reasons you are doing this. I will try to cut the crap out of it and keep it simple. Basically SSH2 uses separate protocols for transport, authentication and connections, splitting all your data up making it just that little bit more secure. It also has stronger cryptographic integrity checks and has better encryption. Basically what I am trying to say (but in tech talk) is that this is one change you should always make. Now lets get on to making the change.
Step 1) Use nano, pico or vi (your favorite text editor) to open up /etc/ssh/sshd_config for editing
Step 2) Find the Line #Protocol 2,1
Step 3) Uncomment the line and change it to
Protocol 2
2. Changing the SSH port
This is what we like to call security by obscurity, it is one extra thing the hacker has to guess before he can get in, although practically a port scan would be able to find the port. However i have found that changing the port does stop a lot of brute force attacks from occurring.
NOTE: Make sure you add the port you want to use to the firewall AND/or add yourself to the allow list so you can connect to the port and don’t lock yourself out.
Step 1) Again open up /etc/ssh/sshd_config with your favourite editor
Step 2) Find the line #Port 22
Step 3) Uncomment the line and replace with the following (where port 2777 is a random, unused port)
Port 2777
NB: To find out if the port is being used use the comand lsof -i:portnumber eg lsof -i:2777
3. Disable Direct Root Login
Unlike the other steps we have used this requires a bit more than editing the config file, but its not hard so dont worry about it. Again this is a little of security by obscurity adding an extra layer the hacker/cracker has to get through if he wants access to your machine, making that bit harder.
A lot of other guides you will see will tell you to add a cPanel account etc etc, but lets just make it easier shall we.
Step 1) Type the following in SSH replacing username with a random username eg sekadmin
adduser sekadmin
Step 2) Now lets give sekadmin a password
passwd sekadmin
You will now be given a password prompt twice. Make sure the word is not a dictionary word, I would recommend looking at my password article for the best password.
Step 3) Now we need to give sekadmin, the correct privileges so he can su – to root.
Step 4) Open up /etc/group with your favorite text editor. Find the line that starts with “wheel” and add your username on at the end of the line. Then close and save the file.
Step 5) Now you will need to test the login works so create a NEW ssh session and try to connect using the username that you just created. Once logged in type “su -” and then the root password to see if that works. If it works everything went ok and you continue on to the next step
Step 6) Once again open up our favourite file /etc/ssh/sshd_config in your text editor
Step 7) Find the line #PermitRootLogin yes, uncomment it and change it to no.
Other Methods
There are also some other methods that you can use. One of the other methods I like to use is binding SSH to an IP. If you do this, the best thing to do is use a spare IP that is not being used by a website. This will offer the most security.
Another great thing to do is to disable password logins totally and use an ssh key. I will not write anything about that here, because it can be a blog post on its own for a rainy day 
AFTER all changes
To make all your changes take effect you will have to restart ssh
service sshd restart
0
COMMENTS