Glenn Gillen

Securing SSH access

So you've got a shiny new server, it's connected to the net, and you (or your hosting company) has done the right thing by turning telnet off and forcing the much more secure option of using SSH to connect. But it doesn't end there, there are quite a few little things you can do to further tighten access and keep the boogey men at bay.

Setting up the server

First things first, lets move it off the default port 22. So many scripted and brute force attacks will try and blast at the defaults, and your memory isn't that bad that you have to stick with them. So pick a number, and edit/update the /etc/ssh/sshd_config file to have the following line:

Port 1022

Next, remove the legacy support for the less secure SSH1 protocol in favor of the newer more robust SSH2 protocol:

Protocol 2

You've already created a user and added yourself to sudoers, so there is no need for the root user to log in directly. Time to disable that. While we are at it, lets stop brute force attacks by reducing the number of incorrect attempts a user gets:

PermitRootLogin no
MaxAuthTries 2

Now onto the client

We can remove the need to enter our server password all the time by pushing our public key onto the server and using that to authenticate. If you already have a public/private key combination you can ignore this next step.

Creating your public/private keys is very straight forward on linux and mac, on windows you'll need to get putty. From the command line:

ssh-keygen -t dsa

This will prompt you for some questions and a passphrase, the default options will be fine. The keys will be saved to ~/.ssh/, so now we will move the contents of the public key up to the server.

cat ~/.ssh/id_dsa.pub | ssh [email protected] "cat >> .ssh/authorized_keys" 
ssh [email protected] chmod 600 .ssh/authorized_keys

Be sure to replace username and server with the appropriate values for the server we are setting up. Now you should be free to SSH onto the server, without a password!

Back to the server

Now that you don't need a password to get into the server, we can prevent people from trying to use one. We can also restrict the users that are permitted to access while we are at it. So back into /etc/ssh/sshd_config and update/edit the following lines:

PasswordAuthentication no
ChallengeResponseAuthentication no
AllowUsers username

Again being sure to change username to your username. Additional users can be entered, separated with a space. All done and dusted? Restart the SSH daemon:

sudo /etc/init.d/sshd reload

Glenn Gillen

I'm an advisor to, and investor in, early-stage tech startups. Beyond that I'm an incredibly fortunate husband and father. Working on a developer-facing tool or service? Thinking about starting one? Email me and let me know or come to one of our days to help make it a reality.