One of the first things you do when you install a new UNIX server is to configure properly the SSH service for remote administration.
By default, OpenSSH lets sshd daemon listening on port 22, allows authentication via user/password, allows login with root user, etc.
If your server is exposed to Internet (for example a hosted VPS) it is recommended to follow the following steps in order to get the SSH service secure:
+ Deny authentication with root user
On the Internet there are thousands of malicious bots scanning all IP addresses and one of the most common scans is to check if port 22 is open and if so, they try to login into the machine with user root via brute force attack.
We must disallow this option on “/etc/ssh/sshd_config” editing the next lines:
|
1 2 |
#PermitRootLogin yes PermitRootLogin no |
Be aware that you will need to have other user with sudo privileges in order to login via SSH with that user. Save the file and reload the configuration of sshd:
|
1 |
$ systemctl reload sshd |
+ Use authentication via public keys
Because weak passwords can be guessed via brute force attacks, it is better connect with our own pair of public/private RSA keys.
First we need to generate a pair of public/private RSA keys: in Windows we can use PuTTYgen.exe (Download here) while in Linux we can simply use “ssh-keygen” command. Generating a 2048 bits RSA keypair should be enough. Using a passphrase to protect the private key is optional.
Second, we must locate the new public key created. In Linux it is created under “~/.ssh/id_rsa.pub” It should have the following format:
If we are in Linux we can use the following command to copy this public key to the “/.ssh/authorized_keys” file on the remote server:
|
1 |
$ sh-copy-id -i ~/.ssh/id_rsa.pub [remote_user]@[server_IP] |
If we are in Windows we need to copy the content of the public key and add it to the file “/.ssh/authorized_keys” on the remote server.
After that, we need to modify “/etc/ssh/sshd_config” file:
|
1 2 3 4 |
RSAAuthentication yes PubkeyAuthentication yes ChallengeResponseAuthentication no PasswordAuthentication no |
Finally reload the sshd config:
|
1 |
$ systemctl reload sshd |
+ Change the default port 22
Since all bot scanners scan privileged ports including port 22, it is recommended change the sshd daemon to listen in a non privileged port. To do this, simply modify the following line in “/etc/ssh/sshd_config”:
#Port 22
Port 2244
Reload the ssh config and then check if now is listening on the new port with ‘netstat’:
Thanks for you job