Securing SSH access
Sep 04, 2007
So you've got a shiny new server, it's connected to the net, and you (or your hosting company) has done the right thing by turning telnet off and forcing the much more secure option of using SSH to connect. But it doesn't end there, there are quite a few little things you can do to further tighten access and keep the boogey men at bay.
Setting up the server
First things first, lets move it off the default port 22. So many scripted and brute force attacks will try and blast at the defaults, and your memory isn't that bad that you have to stick with them. So pick a number, and edit/update the /etc/ssh/sshd_config file to have the following line:
Next, remove the legacy support for the less secure SSH1 protocol in favor of the newer more robust SSH2 protocol:
You've already created a user and added yourself to sudoers, so there is no need for the root user to log in directly. Time to disable that. While we are at it, lets stop brute force attacks by reducing the number of incorrect attempts a user gets:
PermitRootLogin no MaxAuthTries 2
Now onto the client
We can remove the need to enter our server password all the time by pushing our public key onto the server and using that to authenticate. If you already have a public/private key combination you can ignore this next step.
Creating your public/private keys is very straight forward on linux and mac, on windows you'll need to get putty. From the command line:
ssh-keygen -t dsa
This will prompt you for some questions and a passphrase, the default options will be fine. The keys will be saved to ~/.ssh/, so now we will move the contents of the public key up to the server.
cat ~/.ssh/id_dsa.pub | ssh username@server "cat >> .ssh/authorized_keys" ssh username@server chmod 600 .ssh/authorized_keys
Be sure to replace username and server with the appropriate values for the server we are setting up. Now you should be free to SSH onto the server, without a password!
Back to the server
Now that you don't need a password to get into the server, we can prevent people from trying to use one. We can also restrict the users that are permitted to access while we are at it. So back into /etc/ssh/sshd_config and update/edit the following lines:
PasswordAuthentication no ChallengeResponseAuthentication no AllowUsers username
Again being sure to change username to your username. Additional users can be entered, separated with a space. All done and dusted? Restart the SSH daemon:
sudo /etc/init.d/sshd reload