Post4VPS Forum | Free VPS Provider
Setting up a Ubuntu-CentOS Server from scratch: Securing SSH - Printable Version

+- Post4VPS Forum | Free VPS Provider (https://post4vps.com)
+-- Forum: VPS Discussion (https://post4vps.com/Forum-VPS-Discussion)
+--- Forum: Tutorials (https://post4vps.com/Forum-Tutorials)
+--- Thread: Setting up a Ubuntu-CentOS Server from scratch: Securing SSH (/Thread-Setting-up-a-Ubuntu-CentOS-Server-from-scratch-Securing-SSH)



Setting up a Ubuntu-CentOS Server from scratch: Securing SSH - LightDestory - 09-12-2019

*This tutorial is part of a series, visit the main thread to learn more*

Nowadays, SSH is the most common access that you can use when you get a server. On server-specific OS it will be preinstalled on most of cases. The problems is that it comes with standard configurations that are not very safe for us!

On this tutorial we will focus on what is SSH and how secure it, we will skip the installation process because, as I said previously, it comes preinstalled on almost every server-specific OS.

Let's start talking about SSH:

  • What is SSH?
    Secure Shell (SSH) is a network protocol that allow us to operate network services securely over an unsecured network, i.e Internet. It is the most common way of safely administering remote servers but with it we can secure any network service. Using a number of encryption technologies, SSH provides a mechanism for establishing a cryptographically secured connection between a client and a server, authenticating each side to the other, and passing commands and output back and forth.
    The protocol specification distinguishes between two major versions:
    • SSH-1: provides an encrypted channel to users for logging into remote computer over a network. We can execute various commands on server and move files from one server to another.
    • SSH-2: It is a much more secure, efficient, and portable version of SSH-1. It encrypts all the data to avoid eavesdroppers, it also avoids DNS and IP sproofing cryptographically authenticating the identity of the server. When a session is established, the SSH client validates the server’s host key against a local list of available keys that are associated with server names and addresses. If the keys do not match, then an immediate warning is issued.
    The standard TCP port for SSH is 22.
  • Why is so important to secure SSH?
    Now, we know that SSH is the most common access to our server, it is used for a lot of services such as remote terminal, sftp, remote desktop access with x2go, ect...
    So securing SSH is very important and we need to set it properly!

The most common SSH server around is OpenSSH, it will be probably preinstalled on your Linux Server. Moreover Windows 10 is shipped with OpenSSH client built-in!

So we can assume we don't need to explain how to install it and setting up its auto-load.
  • Where is the OpenSSH server configuration?
    OpenSSH server configuration is stored on a file named 'sshd_config' located at '/ect/ssh/'
  • How are we going to secure it?
    We are going to activate the following setting:
    • AllowUsers: With this keyword we will allow ssh access only to a list of users. It is very useful when on our server there are a lot of users dedicated to different services. The list of users is the sequence of usernames separated by space.
      In the following example I will allow SSH access only to 2 users:
      Code:
      AllowUsers lightdestory1 lightdestory2
    • Port: With this keyword we will change the listening port for SSH. As said previously the default port is 22 but if we log some spamming over that port, it can be useful to change it. When choosing a new port be careful to pick up one that is not "well known port". You can use the range: 1024-49152.
      In the following example I will change the SSH port to 44555:
      Code:
      Port 44555
      If you are using a firewall remember to update it to allow the new port!
    • PermitRootLogin: We need to block root login via SSH. Good practice tells us to use a sudoner user that can became root. To block root on SSH login you need to set this setting to 'no'.
      Code:
      PermitRootLogin no
    • PermitEmptyPasswords: We need to avoid the input of empty password. The default setting is 'yes' and it is ok, but make sure that on your server is correctly set.
    • Protocol: With this keyword we can force the use of a specific version of SSH protocol. It good practice to force the use of SSH-2 only.
      Code:
      Protocol 2
    • ClientAliveInterval & ClientAliveCountMax: these keywords will allow the server to terminate SSH sessions due to inactivity. It is useful to avoid pending sshd processes. These options are available only for SSH-2
      • ClientAliveInterval: Sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client.
      • ClientAliveCountMax: Sets a number of 'client alive' response that the client can miss before getting its session SSHterminated
      I personally set a timeout of 10 minutes with 0 missed response tolerance.
      Code:
      ClientAliveInterval 600
      ClientAliveCountMax 0
    • We can also enable Key authentication and disable password authentication, it is one of the most secure thing to do but also a bit tricky. Enabling these options you will limit a lot your portability, without your own device (with the key) you will not be able to access your server.
      I will not cover this set up because I am not an expert myself

After the changes on 'sshd_config' remember to restart your OpenSSH server!
Code:
systemctl restart sshd

Sometimes some changes requires a server reboot


RE: Setting up a Ubuntu-CentOS Server from scratch: Securing SSH - rudra - 09-16-2019

Really nice tute. Cheers..

By the way, may be it would be helpful to new users if you could manage to put some exact commands that they could just copy paste, you know. Like the command to open ssh config file using nano and how to search on nano etc.

May be you are planning to improve it gradually. Good luck with your effort man !!