Lock down your SSH port/access
Rob ó June 26, 2014 ó Leave a comment
The instant a Linux server is connected to a public network it starts getting hit by attackers. There are people out there running programs constantly against IP ranges and theyíve hit your server today a number of times. You need to lock down your ssh access ñ weíll show you a couple ways to do this!
First, letís see who has tried logging into your server today. You can see failed logins by typing the command lastb:
lastb
1
lastb
WHOA! Thatís a long list right? Letís show just the last 20 lines of it:
lastb -n 20
1
lastb -n 20
Ok, thatís a little more manageable. But, probably only showing one IP address with 20 attempts. Letís get a better idea of whatís going on by using awk to show us the total for each IP in reverse sort order..
lastb |awk ‘{print $3}’|sort|uniq -c|sort -n
1
lastb |awk ‘{print $3}’|sort|uniq -c|sort -n
Now, you can see the top offenders there at the bottom. The number on the left is their login attempts and the number on the right is their IP address.
Ok ñ now that you can see why you need to lock down access to your server, letís get on with it!
Locking it down.
There are at least 3 popular actions that Linux administrators take when locking down SSH access.
- Move the SSH port from 22 to something else
- Limit SSH access by IP address
- Usage of SSH keys
Non-standard SSH Port:
First, letís move SSH to a non-standard port. Edit your /etc/ssh/sshd_config file and look for the following line:
Port 22
1
Port 22
Change that to some other port ñ weíll change ours to 2424 by commenting out the ëPort 22′ line (it may already be commented out) and adding it just below.
Port 22
Port 2424
1
2
Port 22
Port 2424
Then, restart the sshd service:
(Make sure if you are running a firewall to open this port first!)
service sshd restart
1
service sshd restart
Now, when you ssh to your server, you will need to specify port 2424 (or whatever you used):
ssh [email protected] -p 2424
1
ssh [email protected] -p 2424
Limit by IP:
Next, letís lock down ssh access by IP address. You really only should do this if you have a static IP address that doesnít change. If you have a dynamic IP address you should skip this part.
If using just iptables for security on your server, you can block access (except from your IP) to the ssh port simply by typing this line as root (change xxx.xxx.xxx.xxx to your iP address and change dport from 2424 to whatever port you are using for SSH. Default is port 22).
iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx –dport 2424 -j ACCEPT
1
iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx –dport 2424 -j ACCEPT
If you have multiple IP addresses that you want to allow, run that command with each one.
Ok ñ so far we have changed the SSH port and we have locked it down to accept connections only from a certain IP address.
SSH Keys:
Next is my favorite one ñ locking down SSH access by only allowing login via SSH key.
First, on the PC that you are connecting from, generate an SSH key by typing the following at a prompt. Youíll want to be a regular user, not root.
ssh-keygen
1
ssh-keygen
If you like, you can accept all the default answers by hitting [ENTER] at the questions.
That command generated an SSH key so that you can drop the public part of it on any server that you want to connect to. Letís copy it now and place it on the server!
cat ~/.ssh/id_rsa.pub
1
cat ~/.ssh/id_rsa.pub
(highlight/copy the string)
Now, letís add it to the server. SSH into your server and create the structure for the key files:
cd ~
mkdir .ssh
chmod 700 .ssh
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
1
2
3
4
5
cd ~
mkdir .ssh
chmod 700 .ssh
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
Now, edit the new .ssh/authorized_keys file with your favorite editor (vim!) and paste the string from id_rsa.pub into it without leaving any extra spaces, then save it.
Log out of your sever and ssh back in again ñ look ma, you didnít have to type your password!
This is only halfway done.. repeat the process of generating a key and pasting it into the authorized_keys file for all of the machines that you want to connect to your serverÖ
Now, letís tell the server to only accept ssh logins from machines with keys:
Edit the /etc/ssh/sshd_conf file again. Change PermitRootLogin from Yes to without-password, then change PasswordAuthentication from Yes to no.
PermitRootLogin yes
PermitRootLogin without-password
PasswordAuthentication yes
PasswordAuthentication no
1
2
3
4
PermitRootLogin yes
PermitRootLogin without-password
PasswordAuthentication yes
PasswordAuthentication no
Restart sshd:
service sshd restart
1
service sshd restart
Your server is now much more secure than it was when you woke up this morning!
