Hardening SSH Access (increase security)

T

his tutorial works for CentOS only. For your specific OS tutorial use the tags or serach function in the sidebar area.

Changing the Port number

Hardening SSH access is second important thing on new VPS installation because through security holes you can soon lost neither access to your server nor data.

First thing to avoid many brute-force attempts on SSH is to change its port number from default '22' to other number i.e. '3666' or any other 4-digits number. 

In the begining we have to open that port for incoming connections in our VPS firewall.

(Assuming that you're using our VPS Firewall Script)

So type: vi /etc/init.d/firewall

press 'Insert' key and find the line 

# 2) We allow incoming SSH connections and answers to

change 

${FWIN} -p tcp -d ${OURIP} --dport 22 ${OK}
${FWIN} -p tcp --sport 22 -d ${OURIP} "!" --syn ${OK}

ADDING:
 
 
${FWIN} -p tcp -d ${OURIP} --dport 22 ${OK}
${FWIN} -p tcp --sport 22 -d ${OURIP} "!" --syn ${OK}
${FWIN} -p tcp -d ${OURIP} --dport 3666 ${OK}
${FWIN} -p tcp --sport 3666 -d ${OURIP} "!" --syn ${OK}
 
Save & Quit ( Hit: [Esc] , type :wq, Hit [Enter] )
for Quit without saving Hit: [Esc], type :q!, Hit [Enter])
 
then type: service firewall restart
 

SSH Port Warning

We're doing this 2-port Rules because we already block all ports in firewall, replacing the one Rule-port from 22 to 3666 and restarting firewall would BLOCK YOU DOWN because SSH service still would run on port 22 but firewall is allowing 3666 (blocking all NOT allowed - also port 22)

 
Check the ports are open in firewall - type: service firewall status
 
 
ACCEPT tcp -- 0.0.0.0/0 xxx.xxx.xxx.xxx tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 xxx.xxx.xxx.xxx tcp spt:22 flags:!0x17/0x02
ACCEPT tcp -- 0.0.0.0/0 xxx.xxx.xxx.xxx tcp dpt:3666
ACCEPT tcp -- 0.0.0.0/0 xxx.xxx.xxx.xxx tcp spt:3666 flags:!0x17/0x02
 
 
Now you're about to change SSH port in service configuration files. To do this you have to edit sshd_config file.
 
Type: vi /etc/ssh/sshd_config
Press 'Insert' key
Look for the line: #Port 22
Remove the '#' changing it to Port 3666
 
Save & Quit ( Hit: [Esc] , type :wq, Hit [Enter] )
for Quit without saving Hit: [Esc], type :q!, Hit [Enter])
 
Restart SSH service. Type: service sshd restart
 
 
Now close terminal and connect again using port number 3666 in KiTTY configuration.
 
If all is OK and the connection is made - repeat editing firewall script now REMOVING the two lines containing Port 22 number. Leave only the two lines with 3666 (new port number). Finally restart firewall.
 
Type: service firewall restart
 
Secured.
 

Don't allow root to login

You don't want to allow root to login because it's wide-known username if you add to this knowledge on which port SSH is running then i.e. you have less chances to defend brute-force attempts but that's only one advantage.

First, create your user which will have the rights to switch privileges as root has. Say the user will be 'john'.

Type: useradd john
For create a user

Type: passwd john
For adding a password

 
[root@vps ~]# useradd john
[root@vps ~]# passwd john
Changing password for user john.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@vps ~]#
 
Now it's time to add this new user to the /etc/sudoers file allowing him run the 'su' super-user command for execute tasks as root user.
 
Type: vi /etc/sudoers
 
Look for the
 
 
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
 
ADD:
 
 
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
john ALL=(ALL) ALL
 

since it is readonly file for Save & Quit ( Hit: [Esc] , type :wq!, Hit [Enter] )

now it's the time for permit root login into SSH

Type: vi /etc/ssh/sshd_config

and paste at the bottom of config file or edit/uncomment corresponding directives as follows:

LoginGraceTime 45
PermitRootLogin no
MaxAuthTries 6
#AllowUsers root
AllowUsers john
 
Save & Quit ( Hit: [Esc] , type :wq, Hit [Enter] )
 
Restart SSH. Type: service sshd restart
 
NOW It's important to check if everything is working.
 
  1. Don't close current terminal window - but open another instance of KiTTY
  2. Log in as root specifying password (shold give you 'Access Denied' , ... yes you type correct password. 
  3. Log in as user john with his password. 
  4. When logged in type 'su -' (it's su with a dash, then hit 'Enter') and type the root password.  
  5. You now are logged as root. Do this ALL the times
 
login as: root
root@vps's password: ************
Access denied
root@vps's password: ************
Access denied
login as: john
john@vps's password:
Last login: Tue Jul 2 11:07:53 2013 from xxx.xxx.xxx.xxx
[john@vps ~]$ su -
Password: ************
[root@vps ~]
 

Success

If everything is OK you can close previous instance of KiTTY. This is the method you will be using to log in into SSH now.

Access Denied

If you can't login in second terminal - switch to first one and carefully make the changes step by step once again - if there is still no success Undo the changes or make PermitRootLogin set to 'yes' in sshd_config file. Restart SSH.

 

Change the root pasword

Remember you've got autmaticly generated password for root in an e-mail message from Hostinger?

It's good to change that password to your very own one.

To do this type: passwd root

While logged as root (su -).