Snappy

Helpdesk Support

Official Supportmonk Company Blog!

How to secure SSH

March 29, 2013 , 12:23 am


By default, most major distributions enable root authentication with the root password, which may be convenient, but is far from secure.  This guide will teach you how to do the following:

* Disable remote root logins
* Disable password authentication
* Change SSH port
* Setup a SUDO user that can escalate to root

The benefit of disabling remote root logins is that most bruteforce programs assume the user is ‘root’, so any attempts to authenticate against SSH will fail.  The benefit of disabling password authentication is that, on top of root being disabled, even if it weren’t, the chances of cracking an RSA key is orders of magnitude more difficult.  If you change the SSH port, then the attacker must first scan the machine for open ports, as most SSH bruteforce scripts assume the default SSH port of 22.  Setting up a sudo user will enable you to still get to the root prompt, but you will have to authenticate to a sudo-enabled user first.  Using sudo is preferable, this way it logs who escalated to root, and what command was run if the command was prepended with sudo.

So, to start, you should be at an SSH root prompt, which might look something like:

[root@server ~]#

If you’re using CentOS, then the default configuration should be in /etc/ssh/sshd_config

Open this file with your favorite editor, and check below for each step.  We’ll start with changing the SSH port, which you can find by the Port directive.  Change this to a number above 1024.  Save the file, and run /etc/init.d/sshd restart .  Open another SSH session, but do not disconnect your previous session, keep that open.  Connect to the new port, and authenticate, and that’s done!

Next, we’ll create a sudo user as follows, go back to your previous SSH session, and run adduser admin (or whatever username you desire).  Then run passwd admin which will change the password to the ‘admin’ user.  Once you add the user, execute usermod -G wheel admin , which will add ‘admin’ to the ‘wheel’ group.  Once that’s done, open /etc/sudoers in your favorite editor, and uncomment this line:

# %wheel ALL=(ALL) NOPASSWD: ALL

Save the file, then open a new SSH connection to your new port, but use username admin (or whatever username you chose), then verify that you can escalate to root via sudo -s .  Once that’s confirmed, then go back to your original SSH session, and then edit /etc/ssh/sshd_config again, find the directive PermitRootLogin, change this to no .  Restart SSHD via /etc/init.d/sshd restart , now remote root logins are fully disabled.

To utilize RSA key-based authentication, you will need PuTTyGen or if you’re on Linux, use:

ssh-keygen -t rsa -b 4096

You will be prompted for a password twice, you won’t be able to see what you’re typing, so it’s important to remember what you typed, as this will be your key’s password for connecting to your sudo user on your server.  If you’re using linux, you can simply install the key on the sudo user via:

ssh-copy-id -pSSH_PORT admin@ip.of.your.server

Replace SSH_PORT above with the SSH port you chose, and replace ip.of.your.server with the primary IP address of your server.

If you’re using PuTTyGen, then you’ll need to generate a public and private key.  Once you save the private key somewhere safe, you can configure PuTTy to authenticate using the key by editing the profile and going to SSH > Authentication in the options tree on the left side of PuTTy, remember to save your profile so you don’t have to set it again.  When you connect, it will open the connection, but it will also prompt you for the password you chose when you generated the key.  It should fail, but it should fall back to password authentication, at which point, you will enter the password you chose when you ran passwd admin before.  Once you’re logged in as the sudo user, run the following commands:

mkdir -p -m 700 ~/.ssh
vim ~/.ssh/authorized_keys

With PuTTyGen still open, look at the top section, which should have a string that looks like “ssh-rsa …“, copy and paste this into the authorized_keys file, and save it, then run:

chmod 600 ~/.ssh/authorized_keys

Now, run sudo -s and edit /etc/ssh/sshd_config again, this time look for PasswordAuthentication, uncomment it if it’s commented, and set it to no.  Restart SSHD with /etc/init.d/sshd restart one more time.  Since you just installed your public key into /home/admin/.ssh/authorized_keys, you should no longer be prompted for that user’s password, and should now only accept RSA public key authentication.  Now, the next time you connect to SSH on your custom ssh port, using your sudo user, and your RSA private key, it should only prompt you for your key’s password, and you’re logged in.  At that point, all you have to do is use sudo -s or sudo COMMAND to run a command as the root user.キャラヒーローズ ジョジョの奇妙な冒険 第1部  ファントムブラッド■石仮面■ 500個限定品
オーバルキャセロールPK 042-13B
【正規品・送料無料】ラ・プレリー スイス アイスクリスタル ドライオイル(30ml)+ラブコンパクトセット
(業務用20セット) ショーワ ナイスハンドミュー厚手Lバイオレット 10双 ×20セット【S1】
(業務用50セット) オーミケンシ ぞうきん10枚セット ホワイト803 【×50セット】
【メーカー直送】EIKO エーコー CS 100万変換ダイヤル式 耐火金庫【CS-91】【時間指定不可】【代引不可】【車上渡し】マイナンバー 保管 対策
フィスラー 18?10シチューポット 84-123〔 蓋付 〕 18cm 實光包丁(堺包丁)母の日 ギフト 贈り物 プレゼント ラッピング jk_h
クーポンで10%OFF サイズ変更可 カントリー 家具 雑貨 カントリー家具 レンジ台 キャビネット レンジキャビネットA ナチュラル家具 ハンドメイド アンティーク 調 パイン材 手作り家具 オーダ
3人掛けソファー ソファ 3人掛け ソファー 三人掛けソファー アンティーク 布張り レトロ ナチュラル 肘付き 日本製 大人カワイイ NS-7 布 生地 モダン ローソファ 北欧 白 ボタン ラグジ
【証明書付】【高次活性化Azozeo】’世界との関わりが祝福であることを教えてくれる石’オーラライト23(アメジスト)10mmブレス 天然石 パワーストーン 2B1aura1001【H&E社、証明書付

Outsourced Customer Support