Snappy

Helpdesk Support

Official Supportmonk Company Blog!

How to secure SSH

March 29, 2013 , 12:23 am


By default, most major distributions enable root authentication with the root password, which may be convenient, but is far from secure.  This guide will teach you how to do the following:

* Disable remote root logins
* Disable password authentication
* Change SSH port
* Setup a SUDO user that can escalate to root

The benefit of disabling remote root logins is that most bruteforce programs assume the user is ‘root’, so any attempts to authenticate against SSH will fail.  The benefit of disabling password authentication is that, on top of root being disabled, even if it weren’t, the chances of cracking an RSA key is orders of magnitude more difficult.  If you change the SSH port, then the attacker must first scan the machine for open ports, as most SSH bruteforce scripts assume the default SSH port of 22.  Setting up a sudo user will enable you to still get to the root prompt, but you will have to authenticate to a sudo-enabled user first.  Using sudo is preferable, this way it logs who escalated to root, and what command was run if the command was prepended with sudo.

So, to start, you should be at an SSH root prompt, which might look something like:

[root@server ~]#

If you’re using CentOS, then the default configuration should be in /etc/ssh/sshd_config

Open this file with your favorite editor, and check below for each step.  We’ll start with changing the SSH port, which you can find by the Port directive.  Change this to a number above 1024.  Save the file, and run /etc/init.d/sshd restart .  Open another SSH session, but do not disconnect your previous session, keep that open.  Connect to the new port, and authenticate, and that’s done!

Next, we’ll create a sudo user as follows, go back to your previous SSH session, and run adduser admin (or whatever username you desire).  Then run passwd admin which will change the password to the ‘admin’ user.  Once you add the user, execute usermod -G wheel admin , which will add ‘admin’ to the ‘wheel’ group.  Once that’s done, open /etc/sudoers in your favorite editor, and uncomment this line:

# %wheel ALL=(ALL) NOPASSWD: ALL

Save the file, then open a new SSH connection to your new port, but use username admin (or whatever username you chose), then verify that you can escalate to root via sudo -s .  Once that’s confirmed, then go back to your original SSH session, and then edit /etc/ssh/sshd_config again, find the directive PermitRootLogin, change this to no .  Restart SSHD via /etc/init.d/sshd restart , now remote root logins are fully disabled.

To utilize RSA key-based authentication, you will need PuTTyGen or if you’re on Linux, use:

ssh-keygen -t rsa -b 4096

You will be prompted for a password twice, you won’t be able to see what you’re typing, so it’s important to remember what you typed, as this will be your key’s password for connecting to your sudo user on your server.  If you’re using linux, you can simply install the key on the sudo user via:

ssh-copy-id -pSSH_PORT admin@ip.of.your.server

Replace SSH_PORT above with the SSH port you chose, and replace ip.of.your.server with the primary IP address of your server.

If you’re using PuTTyGen, then you’ll need to generate a public and private key.  Once you save the private key somewhere safe, you can configure PuTTy to authenticate using the key by editing the profile and going to SSH > Authentication in the options tree on the left side of PuTTy, remember to save your profile so you don’t have to set it again.  When you connect, it will open the connection, but it will also prompt you for the password you chose when you generated the key.  It should fail, but it should fall back to password authentication, at which point, you will enter the password you chose when you ran passwd admin before.  Once you’re logged in as the sudo user, run the following commands:

mkdir -p -m 700 ~/.ssh
vim ~/.ssh/authorized_keys

With PuTTyGen still open, look at the top section, which should have a string that looks like “ssh-rsa …“, copy and paste this into the authorized_keys file, and save it, then run:

chmod 600 ~/.ssh/authorized_keys

Now, run sudo -s and edit /etc/ssh/sshd_config again, this time look for PasswordAuthentication, uncomment it if it’s commented, and set it to no.  Restart SSHD with /etc/init.d/sshd restart one more time.  Since you just installed your public key into /home/admin/.ssh/authorized_keys, you should no longer be prompted for that user’s password, and should now only accept RSA public key authentication.  Now, the next time you connect to SSH on your custom ssh port, using your sudo user, and your RSA private key, it should only prompt you for your key’s password, and you’re logged in.  At that point, all you have to do is use sudo -s or sudo COMMAND to run a command as the root user.

Envelope Icon

Get Updates Your Email!

Subscribe to Supportmonk and receive blog posts to your email!

Subscribe Via Email

SupportMonk on Facebook


Outsourced Customer Support