“It is not Unix’s job to keep you from shooting yourself in the foot. If you should choose to do so, it is Unix’s job to deliver Mr. Bullet to Mr. Foot in the most efficient way it knows.” — Terry Lambert.

If you have Linux/Unix hosts, it is likely that you are mostly connected to your server via SSH to manage your Linux hosting, perform daily tasks or software installation.

“Acronis is directly responsible for saving our company 1200 hours per year for IT operations staff in backup and recovery workflows.” CIO, high performance IT company.
Read details in a report by Forrester.

SSH – An Introduction:

SSH stands for Secure Shell, a cryptographic network protocol used for connecting to Linux/Unix servers remotely via a command line interface. The default port on which SSH service works is 22 (which is configurable) to exchange data between the remote users and the server. The SSH program was developed to improve the security of applications which were used earlier like telnet or rsh.

The following events occur when two parties connect via SSH:

  1. A request to establish a connection is made, so that the client can verify his communication with the correct server.

  2. The connection between the client and the server is encrypted on the transport layer.

  3. The server checks the information provided by the client for authentication.

  4. Once the encrypted connection is established, the client and the server are now ready to exchange information.

    How to Configure and Secure SSH Service in Linux

Security measures necessary to safeguard SSH service:

Here are some security measures which can be useful in securing the SSH service in Linux:

  1. Configure the SSH port:

    The default port is 22, as stated above. If an attacker attempts to request access on the given port, he is already one step ahead. Now he only has to do hit and trial for the password. If we configure the SSH port to be other than 22, we can secure it against possible attacks.

    Run the command below to change the default port in the SSH configuration file:

    #sed -i ‘s/#Port [0-9]*/Port 1337/’ /etc/ssh/sshd_config

    It will change any Port xxx, where xxx is – any number to Port 1337. To verify, run the below command:

    #cat /etc/ssh/sshd_config | grep Port

    Now that you’ve changed the port, add the port in the firewall, so that the SSH service listens on port 1337. Run the below commands to achieve that:

    #iptables -A INPUT -i eth0 -p tcp –dport 1337 -j ACCEPT

    #service iptables save

    #service iptables restart

  2. Disable root login:

    Disable root login! How are we supposed to login to our server?

    Default user or the user through which we login to the server is the root and this gives an attacker an edge to access the complete system. He already knows the username. He only has to work on the password. We will create a user in our server- a user which will be used only for SSH login.

    Run the command below to create a user:

    #useradd 1345345

    Set the user password to something complex:

    #passwd 1345345

    Changing password for user 1345345.

    New password:

    Retype new password:

    passwd: all authentication tokens updated successfully.

    We will now change our SSH configuration to disable the root login.

    #sed -i ‘s/#PermitRootLogin yes/PermitRootLogin no/’ /etc/ssh/sshd_config

    Once the root login has been disabled, we will now allow the users we created earlier.

    #echo “AllowUsers 1345345” >> /etc/ssh/sshd_config

    Finally, to allow the user to run su – command after logging in to the server, add the user to the wheel group to make things easier to manage.

    #usermod -aG wheel 1345345

    Now after making all the required changes, restart the SSH service with below command:

    #/etc/init.d/sshd restart

    or

    #service sshd restart

    or if you are using Centos 7/ Red Hat Enterprise Linux 7, use this to restart:

    #systemctl restart sshd.service

  3. Allow access from specific IP addresses:

    If you have a static IP address, such as your corporate network, you are suggested to allow SSH from that IP only. To do that, run the commands below, where the public IP address is as per your network:

    #echo “sshd : 192.168.1.1 : ALLOW” >> /etc/hosts.allow

    #echo “sshd : 192.168.1.2 : ALLOW” >> /etc/hosts.allow

    #echo “sshd : ALL : DENY” >> /etc/hosts.allow

  4. Patch against known exploits:

    Check your bash version to be updated and patched against the commonly known exploits like shell shock and zero day.

    # bash –version

    GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)

    Copyright (C) 2009 Free Software Foundation, Inc.

  5. Physical Access/User Security:

    Make sure your machines are well protected against viruses and are not for public use, if you use Windows to access SSH. Change passwords regularly and store them at a secure location.

  6. SSH encryption using public-private keys:

    We can also implement key based authentication on the server. We will discuss key based authentication in our next blog as it itself is a topic to be discussed in detail.

    SSH key needs to be stored on a computer, and this can be a vulnerability. You have to protect your private key with a passphrase; otherwise, if your laptop is in wrong hands, it can result in an account compromise. On the other hand, a password can be stored in your brain only, which makes it less likely to leak theoretically.

    Arguably, it can be said that SSH keys are secure as compared to passwords, but the opposite can also be true. So, it all depends on the context.

    To learn more about SSH security, Click here.

    If you have trouble finding the right managed server, look no further. Here at ZNetLive, we provide managed VPS and dedicated servers. And yes, we will help you secure your server with multiple aspects of security.

“Before the Acronis implementation, there was a huge risk that malware could take down our company. Now, with Acronis, I can say that we’ve done everything possible to protect our data from an attack.” CIO, high performance manufacturing company.
Read details in a report by Forrester.

Services ZNetLive offer:

Cheap Domain Name

Linux Shared Hosting India

Managed WordPress Hosting India

VPS Hosting India

Dedicated Server India

You are free to contribute, comment or create issues, post them in comments and I will revert.