How-To: Secure your SSH!

[bassjuh]

For the people that are new to a linux server and/or directadmin i decided to write this little how-to.

There are a lot spam and warez sites and also hackers that are trying to find other computers to put warez on for example to install software on it to send e.g. spam.

For all this is a really simpele solution, just change standard ssh port 21 to e.g. 337 or 9999, we are going to use 337 in this example. and we are only going to allow V2 Clients since V1 is a bit outdated.

I used CentOS 4.2 for this example.

First we are going to find our file, this file is standard located in /etc/ssh/ the file is called sshd_config

Now we are going to open the file up with or favorite text editor, i prefer nano. so i will invoke the command : nano /etc/ssh/sshd_config

now search for:

#Port 22

replace this with

Port 337

Second, search for:

#Protocol 2,1

replace this with:

Protocol 2

now, save the file ( in nano, press ctrl+x , press y and enter )

to load the settings we need to restart sshd, please make sure you did not make any typo's

To restart sshd we'll type: service sshd restart

and were done! now ssh will only allow logins on port 337 for V2 Clients

Edit: Forgot to mention, IF you have installed or enabled a firewall do not forget to set this port open!

Hope this is usefull for someone

 

[@how@]

Easy to fine new port, just you need Protocol 2 only


Thanks,
Wael

 

[kawing05]

Good Jobs! I changed and worked fine~

 

[@how@]

no need to set new port coz any hacker can find it by port scan.

 

[bassjuh]

no need to set new port coz any hacker can find it by port scan.

i agree with you on that, but there are a lot of site's that only use port 22 for this purpose...

so you will reduce the risk a bit

 

[roelp]

i must agree. in my opinion it's pretty useless to change the ssh port.
You will maybe stop the script kiddies and some brute force scanners, but you won't stop a real hacker.

Best option to protect your ssh, is to allow only certain ip's to connect to your ssh, either in your firewall, or your hosts.allow.

Another way would be to use some kind of port knocking

 

[Chrysalis]

changing the port wont stop someone who is hardset in getting in the system but it will help against the thousands of people who are scanning port 22 across ip ranges every day. One thing it has done for me is clean up my logs, which would get dozens of login attempts a day to now 0 attempts a day.

 

[servertweak]

some of you installed apf firewal , dont forget to make your changes there too


works great

 

[nobaloney]

And don't forget if you're changing your SSH port to let your clients know, if you allow them ssh.

Jeff

 

[pucky]

Changing the port for SSH is not as useless as many would think. 9 times out of 10, if you change the port these ssh trolls will move onto another server. Thats because they are not going to sit there and waste their time scanning for open ports. Why would they, when it much easier just to move on?

On all our unix boxes, we have moved ssh to another port due to all the brute force attacks against ssh on 22. Once they notice 22 is closed they move on.

So its not a crazy idea at all. I highly recommend it. Just another step in securing your server. Every little bit helps and moving SSH to another port is highly recommended even if you think its a waste of time.

Also, you should be getting notices from your system logs emailed too you on a nightly basis. There you will find information as to whether your ssh ports are still being bombarded. If they are, and you moved ssh to another port, it means whoever is doing it is really determined. There are way to deal with that as well but generally, once we have moved the ssh port to high port these pests dissapear.

 

[chatwizrd]

no need to set new port coz any hacker can find it by port scan.

Yes there is need to change port. Most ssh attacks come by directory attempts and scanning blocks of ips for open port 22. If you use a non standard port it will drop the attempts by a huge amount. 98% less scans on my servers when I changed to non standard ports.

 

[Webcart]

Althought I agree that this will reduce a number of scans significantly, I don't think it's a good solution in general case.

As a rule, "security by obscurity" is good but not when it creates significant inconvenience for users.

Rather than changing SSH port, disable direct logins for well-known users (root, admin) and install BDF (brute force detection) system.

Just my 2 cents...

 

[pucky]

Althought I agree that this will reduce a number of scans significantly, I don't think it's a good solution in general case.

As a rule, "security by obscurity" is good but not when it creates significant inconvenience for users.

Rather than changing SSH port, disable direct logins for well-known users (root, admin) and install BDF (brute force detection) system.

Just my 2 cents...

How does moving the ssh port inconvenience users? For one, many hosts dont even allow SSH. Two, its your job as the admin to keep your box as secure as possible, this includes your ability to email your clients with information on the new port if you allow it. Inconvenience? I saw a server with 22,000 hits to his SSH port in less than a 24hr period. What do you think we did for the client? You guessed it. We moved the port up and that was all she wrote.

Umm ye. Disable direct root logins is right, but how does that stop probes to port 22? Admin - > Root can log into any port if configured.

 

[Pascal]

visudo 

Else try: vi /etc/sudoers or whereis visudo

Add:
admin   ALL=(ALL) ALL

Under:
# User privilege specification
root    ALL=(ALL) ALL

Save!

vi /etc/ssh/sshd_config

Change:
AllowUsers root

Into:
#AllowUsers root

Save!

/etc/init.d/sshd reload

Reload SSH before the changes are having effect.

You disabled root to login into SSH

Now you can login with DA admin account to be superuser.

While logged under admin account on SSH do:

sudo su

enter your admin password and you'll become root

 

[The_cobra666]

/etc/sudoers can't find that fill m8 (CentOS 4.4)

 

[Pascal]

/etc/sudoers can't find that fill m8 (CentOS 4.4)

Then you should install it or visudo first

yum install sudo

 

[The_cobra666]

Ok, I can now login with Admin but as soon as I enter my password putty "exit's", it just closed. I can see "Last login from ******" but that's only for a blink of second.

Any help?

Loging in with da_admin doesn't work.

Oyeah, the root login still works don't ask my why.., I need to use the ssh_config file instead of the sshd_config file. Since if I change something in there it works and in sshd_config it doesn't.

 

[Pascal]

Ok, I can now login with Admin but as soon as I enter my password putty "exit's", it just closed. I can see "Last login from ******" but that's only for a blink of second.

Any help?

Loging in with da_admin doesn't work.

Oyeah, the root login still works don't ask my why.., I need to use the ssh_config file instead of the sshd_config file. Since if I change something in there it works and in sshd_config it doesn't.

Your account is "admin", "da_admin" is used for phpmyadmin etc.

You added "admin" on the allow list for SSH users and reloaded?

 

[Chrysalis]

for these scans moving the port is very effective, 99% of them will be drones that if they find a closed port 22 will simply just move on.

 

[Webcart]

How does moving the ssh port inconvenience users?

If you have to ask then the chances are it doesn't inconvenience your customers

Originally posted by pucky
Two, its your job as the admin to keep your box as secure as possible, this includes your ability to email your clients with information on the new port if you allow it. Inconvenience?

"its your job as the admin to keep your box as secure as possible" looks like a good statement, however, it doesn't tell us much until you define the phrase "as possible".
There is always a trade-off between increased security and increased inconvenience for users. For example, the most secure server would be the one without network cards and I/O ports (USB, COM, PS/2). Of course such server would be totally useless.

If changing a port and e-mailing your clients about it solved this problem, it means you've found a right solution for your business. Just keep in mind it's not a bullet proof solution, it might or might not work that good for others.

Originally posted by pucky
I saw a server with 22,000 hits to his SSH port in less than a 24hr period. What do you think we did for the client? You guessed it. We moved the port up and that was all she wrote.

Apparently I didn't guess it right I kinda assumed most of these hits were originated from the same netblock, may be even from the same IP address. So, my guess was you've blocked the offending IPs and installed brute force detection system.
I think it would be a better solution in the long run and surely more general.