Secure SSH

Any reference to editing the config file is refering to the file located at

/etc/ssh/sshd_config

and to edit this I recommend

pico /etc/ssh/sshd_config

Before you do any thing, you should back your config up. This can be done by:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak


##Different Ports and IPs##

If your clients do not have SSH access (web hosting for example), a good way to secure your box is to run SSH on an unknown port and IP, so that people do not know your SSH port, so can't brute force it.

Your current config file will look something like this (you will scroll down and see this)
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

They are all commented out with the #, You should change the port number away from port 22, This port will be used in future to access the server. A random port which has significance to you but one which people won't guess is a good one. For this tutorial I will use the port 2202 (the time of writing this tutorial). You want to remove the hash to make the line uncommented and change 22 to the new port. Your config at this point of the file willl now look like this:

Port 2202
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

This means from now on you will connect to ssh on port 2202. Another good way of making your SSH more secure is for it to bind on a different IP. Your best bet is to request an IP from FDC and ask for it to be in a different IP range to your current IPs. They should give you this. For the sake of the tutorial this ip will be 1.2.3.4. You do the same as before, but this time with listen address. So your config file (just under where it says
# default value
)
should now look like:

Port 2202
#Protocol 2,1
ListenAddress 1.2.3.4
#ListenAddress ::


##Disable Root Log In##

If you disable root log in, it means if someone is brute forcing your server, they have to find and crack a user accountbefore they can access the root account.

If we had of performed this root log in already on this server and made an ssh connection to the server but not yet logged in, but it had root SSH disabled, You would log in as a user account e.g. admin, onceyou had logged in you would get to your favourate shell screen:

admin@localhost [~]#

You would then issue this following command:

admin@localhost [~]# su -

You would then be asked for your root password which you would enter. You can try this without having root SSH disabled. In cPanel you have to add the user you are using before accessing the root account to the wheel in web host manager. This will allow only users in the wheel to be able to access SSH.

To disable root SSH login, return to editing the file, and scroll down to

# Authentication:

#LoginGraceTime 120
#PermitRootLogin yes
#StrictModes yes

And change it to

# Authentication:

#LoginGraceTime 120
PermitRootLogin no
#StrictModes yes

This has now disabled root ssh access. Before you do this, make sure you can log in as a normal user and then use su - to log in to root, if you cant then do not perform this step.

##Force SSHv2##

As the internet evolves, so do the protocols and programs that use them, as such SSHv2 was born. You can force clients to use SSHv2 for greater security. This is simple to do, edit the file and find the line:

#Protocol 2,1

and simply change it to

Protocol 2


Save the sshd_config file
issue the command:

service sshd restart

It should show:


Stopping sshd: [ OK ]
Starting sshd: [ OK ]

If it errors on starting sshd, you can restore the original config file by typing:

mv /etc/ssh/sshd_config.bak /etc/ssh/sshd_config

it will ask you if you want to overwrite, click yes then type:

service sshd start

and now you will get:

Starting sshd: [ OK ]