Secure Shell (SSH) provides us with command interface for secure data communication. Effectively, it allows you to remotely manage your server as if you were standing right in front of the physical machine. We use SSH because of the additional layers of protection and encryption it adds when transmitting data over the internet.

While SSH is by default a lot more secure than other protocols such as FTP, there are some configuration changes that can be made to make it even more secure. Changing some widely known defaults will help ensure only you and people you authorize have access to the root of your servers.

[TBS_ALERT class=”success”]SeeksAdmin Expert Management Services
Our expert server administrators have plenty of experience securing servers. If you’re looking to have OpenSSH properly locked down by an experienced server administrator, check out our server management packages.

[TBS_BUTTONGROUP][TBS_BUTTON class=”btn-warning” text=”Server Management Packages” link=””/] [TBS_BUTTON class=”btn-warning” text=”Contact Us” link=””/] [TBS_BUTTON class=”btn-warning” text=”Client Testimonials” link=””/][/TBS_BUTTONGROUP]

Always Backup, Backup, Backup

Before making any configuration changes, be sure to make a backup copy. You’ll also need to take note of all changes you make otherwise you may not be able to log into your server again.
[TBS_ALERT class=”info”]cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak[/TBS_ALERT]

Editing Your SSH Config

Use your favorite command line text editor to open /etc/ssh/sshd_config to confirm & edit your settings.

1) Change SSH Protocol

SSH protocol version 2 (SSH-2) is more secure than version one (SSH-1). Here’s a few couple reasons why:

  • Separate protocols for transport, authentication, and connections.
  • Effectively, splits up your data to make it more secure.
  • Strong cryptographic integrity check.

[TBS_ALERT class=”info”]#Protocol 2,1[/TBS_ALERT]
Uncomment & Change to:
[TBS_ALERT class=”info”]Protocol 2[/TBS_ALERT]

2) Change SSH Port

We like to call this security by obscurity. One more thing a hacker would need to know in order to access your system. Theoretically a port scan would find the port; however, we have have found a non-standard port helps to stop many brute force attacks.

Important: Take of the port used for future access, and be sure to allow the port in your firewall / iptables. This is vital to ensure you are not locked out.

[TBS_ALERT class=”info”]#Port 22[/TBS_ALERT]
Uncomment & Change to:
[TBS_ALERT class=”info”]Port 2202[/TBS_ALERT]
Note: Port 2202 is a different random, unused, large number port.
To find out if a port is in use use the following command:
[TBS_ALERT class=”info”]lsof -i:portnumber eg lsof -i:2202[/TBS_ALERT]

3) Disable Direct Root Login

This step will require a little more than just editing the config file, but its very easy. Again, security by obscurity – instead of the default ‘root’ user to log in, we first require another user to log in first.

Create a new user:
[TBS_ALERT class=”info”]adduser kevin9[/TBS_ALERT]
Assign a password to the new user:
[TBS_ALERT class=”info”]passwd kevin9[/TBS_ALERT]
Enter your new password twice. Make sure it is not a dictionary work, we recommend following best practices for passwords.

Give the new user access to su – to root:
[TBS_ALERT class=”info”]vi /etc/group[/TBS_ALERT]
Find the line that starts with “wheel”.
[TBS_ALERT class=”info”]Add your new username to the end of that line.[/TBS_ALERT]
Then save and close that file.

Test that the username works: Open a new ssh session and connect with the new user. Once connected type “su -” and enter your root password. If you can log in successfully, proceed to the next step.

Edit SSH Config to disable root login:
[TBS_ALERT class=”info”]vi /etc/ssh/sshd_config[/TBS_ALERT]
Find the line #PermitRootLogin yes, uncomment and change to:
[TBS_ALERT class=”info”]PermitRootLogin no[/TBS_ALERT]

4) Limit Users’ Access to SSH

Note: Typically, any user on your server has access to SSH. If you create an FTP account for one of your developers, that includes SSH access. If it is not needed there is now reason to leave that access point open.

Lock down SSH access to specific users, by editing your ssh config:
[TBS_ALERT class=”info”]vi /etc/ssh/sshd_config[/TBS_ALERT]
[TBS_ALERT class=”info”]AllowUsers root kevin9 bobby21[/TBS_ALERT]
Or you may allow all users and block specific users by adding:
[TBS_ALERT class=”info”]DenyUsers carol mark susie11[/TBS_ALERT]

(Replace the above example usernames with your own.)

Be sure to restart SSH for all changes to become effective:
[TBS_ALERT class=”info”]service sshd restart[/TBS_ALERT]

Post a comment or leave a trackback: Trackback URL.