Securing SSH

[WelshTom]

Securing SSH is vitally important. Here are a few simple steps which will help you secure SSH on your server.

The first thing you should do is change the port that SSH listens on. This will help prevent automated-hacking tools from trying to brute force their way into your server.

To do this, open your SSH client (Putty is recommended).

Login to your server.

At the command line, you need to go to /etc/ssh

To do this, type "cd /etc/ssh" and hit enter.

You then need to edit the SSH config file. To do this, type "vi sshd_config" at the command prompt.

You will then be presented with the SSH config, please be careful when editing this file - as if you break it, SSH can fail and you will not be able to access your server.

You need to look for the line which should look like the following:

Quote:

Port 22

To change the SSH port, simply hit the insert key on your keyboard, and change 22 to a port of your choice. Please make sure that you open the port in any firewall modules which you have installed, and that the port isn't already in use by some other application.

When you have changed the port number, simple hit escape on your keyboard, and then type ":wq" and hit enter. This will save the file and return you to the console.

When this is done, you'll need to restart SSH as follows:

"service sshd restart"

When I get a bit more time, I'll explain on how to disable Password Authentication, to make your server more secure.

[Rock]

Hey Tom

Here's a small one from me.. supporting/securing your views further...

Securing SSH (Secure Shell) :

It's a protocol which supports logging into a remote system or executing commands on a remote system, using an encrypted communication between the two systems. Hence securing it; itself is a method of securing the server

By default SSH runs on version 1 and allows direct root access to the system. In order to secure the server steps should be taken to disable direct root access within the sshd_config file and any user should be forced to use only protocol 2. Protocol 2 is more secure than 1.

Here's a simple procedure on getting this done quickly:

Quote:

1) vi /etc/ssh/sshd_config
2) Change Protocol 2,1 to Protocol 2
4) PermitRootLogin yes = no
5) Restart SSHD: /etc/rc.d/init.d/sshd restart

Note: Please make a backup of any files you modify, incase you change anything unexpectedly, restoring the system to the original state becomes easier

[Rock]

Further more, SSH can be resource hogger/intensive for your server too if not setup properly, in other words, it can use up all of your resources making the server unusable or rather taking the complete system down .. -

You can limit/prevent such applications and scripts to stay within the limits by setting up the "Shell Resource Limits" for the users.
You can configure shell resource limits in /etc/security/limits.conf on most Linux systems..

Note: Please make a backup of any files you modify, in case you change anything unexpectedly, restoring the system to the original state becomes easier...

[Scothorse]

Ouch, telling people to use vi is a dangerous move pico is more user firendly

[WelshTom]

Quote:

Originally Posted by Scothorse

Ouch, telling people to use vi is a dangerous move pico is more user firendly

lol - SSH is a CLI - it's not designed to be user-friendly - nor the stuff which runs on it

[Rock]

Quote:

Originally Posted by WelshTom

lol - SSH is a CLI - it's not designed to be user-friendly - nor the stuff which runs on it

Rightly said ! SSH isn't user friendly, but it's rather more powerful than the GUI mode..
My vote goes for SSH mode for sure.. It's been years I haven't touched GUI..

[eUKhost.com]

Quote:

Originally Posted by Scothorse

Ouch, telling people to use vi is a dangerous move pico is more user firendly

yes

Pico is more user friendly and less memory intensive. I'm the only person in our company who uses pico as all other staff members prefer only vi.

[kpatey]

...The vi/pico debate lives on...

[Rock]

Quote:

Originally Posted by kpatey

...The vi/pico debate lives on...

Very true.. which one do you prefer/use ?

[kpatey]

Pico for me ... I think if vi is one of the first editors you use, then you can learn to love it, otherwise pico will always be easier/faster

[whiterabbit]

There are more to do in order to secure your ssh. Changing the default ssh port, disable root login are few of them. You can prevent ssh scanners by adding appropriate firewall rules.

HTML Code:

iptables -A FORWARD -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 5 –rttl –name SSH -j DROP

The above configuration will allow up to 5 SSH connections in a 60 second timeframe.

[eezee319]

Also when choosing alternative port, be sure to choose one that is not associated with viruses. I recently used port 9898 and had problems accessing my server through that particular port. It turned out that it is favoured by a trojan/virus known as MonkeyCom and my ISP was blocking it (could not understand what was happening as had access to all the other services on my VPS, thought I was hacked - tcptracert command in Linux turned out to be invaluable to trace route on a specific port).

If you manage to lock yourself out of the system while configuring your SSHD and you have access to WHM you can run the following to temporarily reset your SSH settings back to default:

Code:

whm.yourdomain.tld/scripts2/doautofixer?autofix=safesshrestart

Now you should be able to log in with your credentials on port 22, fix the configuration issues, reboot SSHD.

[craigbeattie]

Hi.

I am a bit of a neewbie with this stuff. How would I change my port using WinSCP. How do I get to a command line in WinSCP. Also on WinSCP website it has this paragraph,

"However, please ensure that the server you are connecting to is a secure server to start with - WinSCP only secures a particular file transfer session from server to client and from client to server. If you still have open FTP or Telnet port on your server, you are not safe!"

Is this something I should be aware off, and who would I ask to get it sorted.

Thanks form a neebie worried about security

[Rock]

Quote:

Originally Posted by craigbeattie

Hi.

I am a bit of a neewbie with this stuff. How would I change my port using WinSCP. How do I get to a command line in WinSCP. Also on WinSCP website it has this paragraph,

"However, please ensure that the server you are connecting to is a secure server to start with - WinSCP only secures a particular file transfer session from server to client and from client to server. If you still have open FTP or Telnet port on your server, you are not safe!"

Is this something I should be aware off, and who would I ask to get it sorted.

Thanks form a neebie worried about security

Hi,

It's recommended to connect to a Linux server using SSH for doing such changes.

Here's a tutorial on : How to connect to a Linux Server using SSH ?

& follow the steps mentioned in the first post here.