SSH security / usage optimization
In this tutorial we SSH more secure. However, this remains a basic tutorial with a simpelle enkelle maatregellen base. SSH is the most common and best method of remote administration of a Linux system. Rightly, you can ssh to a machine entirely remotely manage, service, etc. But what if an attacker gains access to SSH? Then the consequences are incalculable. Conventionally, when SSH for security using one username and password.
This tutorial was tested with a basic CentOS 5 installation, DirectAdmin and CSF.
The following topics are covered:
Use strong passwords
Limit use SSH
Standart protocol 2
Change standart SSH port
No SSH root access
Management from a single IP
1) Use strong passwords
One of the main weaknesses of passwords is always the difficulty of the user and a password. Note that SSH uses DirectAdmin password matches the password of the user DirectAdmin. Obviously a direct money for admin password the same points as a recommended SSH password (and any other possible password):
At least 8 characters / characters
Use upper and lower case
Mix numbers and letters together
Use special characters (!@#$%^&*_+)
2) Limit use SSH
Suppose one of your direct admin user his / her credentials in malicious hands (or they themselves have bad intentions). The last thing you want is that the user what kind of rights whatsoever SSH access to your server. It is therefore strongly advised to DirectAdmin users and resellers NO SSH access to. For users who do wish you always yourself, individual access. You can disable SSH access as an option during the creation of user and reseller hosting packages.
You can view a list of permitted SSH users find it in / etc / ssh / sshd_config.
Normally the bottom of this config file a list of users who have SSH access. If nobody else but you yourself will only give access to this line are:
AllowUsers root.
Changes after you restart sshd service with:
# Service sshd restart
3) Standard Protocol 2
SSH has currently two standard protocols to communicate through. Protocol 1 is older and less secure. We will therefore Protocol 2 as default.
Edit / etc / ssh / sshd_config and find / change the following line in / etc / ssh / sshd_config:
Protocol # 1.2
Protocol 2
After editing the file, restart the sshd service:
# Service sshd restart
4) Change default ssh port
Another important change is to change the default SSH port. In this example we SSH from port 22 to port 1022 change. Note that this change with your SSH client used now need to specify the new port for connect!
Step 1)
First we set the firewall so that even on the new port to listen to. How to use depends on your firewall. If you use CentOS it will most likely be the 'setup' tool have included. Servers with this from the CSF to CSF DirectAdmin setup page or via the CSF config file.
Setup method:
# Setup
you with firewall and network options to specify the allowed ports. Make sure port 1022 is no longer blocked. (1022: tcp you can add custom ports)
CSF Method
CSF at you the input and output ports to give up. Add the port to 1022 on the CSF config page. (As well TCP_in TCP_out).
CSF then you do not have this config file can be found as / etc / csf / csf.conf
Find TCP_in and TCP_out and add the port to 1022.
Step 2)
Once the new port 1022 is open to the outside, we configure SSH that actually listens on this port.
Open the SSH config file / etc / ssh / sshd_config and change the following settings:
# Run ssh on a non-standard port:
Port 1022 # Change me
After saving the config file SSH will the next time it started on the new port listening.
Ssh restart:
# Service sshd restart
Step 3)
Now SSH listens on a new port (1022), we may need to connect to the server.
However, the old gate still open in the firewall. Remove this port as you did by adding a new port (step 1). Only now we do not add port 1022, but we will remove port 22.
5) No SSH root access
Avoid direct login as root with ssh. We will create an additional user who has basic rights. This will get SSH access. You can then login with this user to root and su'en.
We will first create a new user (username suroot word):
# Useradd suroot
Next, we give it a password (enter here your own desired password, think of step1):
# Passwd suroot
Changing password for user suroot.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
Change the following line in / etc / ssh / sshd_config:
# Prevent root logins:
permit root login no
We also check the line of allowed SSH login users in / etc / ssh / sshd_config. More info see "2) Restricted SSH user" (root must leave, suroot add):
AllowUsers suroot
After changing, you only have SSH server solutions
# Service sshd restart
Using suroot
Now we are not able to login directly as root, this is done through the user suroot. Below is an example of use to root things change:
Login as the user suroot same way as you would inloged as root.
Switch to root user, enter the password when prompted:
# Su root
Password:
Congratulations, you now have root access via the user suroot
6) Management from a single IP
Even better is to SSH management from a single location (IP) occurs. Office for example. We take this step tell iptables port 1022 (see step "4) Change standart SSH port").
In this example we take a workstation IP 195.216.246.2 and use SSH listens on port 1022.
Edit the file / etc / sysconfig / iptables and add this line:
iptables-A INPUT-p tcp-s 195.216.246.2 - dport 1022-j ACCEPT
Save the change and restart iptables:
# / Etc / rc.d / init.d / iptables restart
You can now only use SSH from address 195.216.246.2 on port 1022
Sorry its in dutch.
I will translate it later our use google translate.
Best Regards,
Terry Dal Magro
The Good, The Bad and The Ugly -> Linux, Windows and DOS
