Lock down your SSH port/access

Rob —  June 26, 2014 — Leave a comment

The instant a Linux server is connected to a public network it starts getting hit by attackers. There are people out there running programs constantly against IP ranges and they’ve hit your server today a number of times. You need to lock down your ssh access – we’ll show you a couple ways to do this!

First, let’s see who has tried logging into your server today. You can see failed logins by typing the command lastb:

WHOA! That’s a long list right? Let’s show just the last 20 lines of it:

Ok, that’s a little more manageable. But, probably only showing one IP address with 20 attempts. Let’s get a better idea of what’s going on by using awk to show us the total for each IP in reverse sort order..

Now, you can see the top offenders there at the bottom. The number on the left is their login attempts and the number on the right is their IP address.

Ok – now that you can see why you need to lock down access to your server, let’s get on with it!

Locking it down.

There are at least 3 popular actions that Linux administrators take when locking down SSH access.
1. Move the SSH port from 22 to something else
2. Limit SSH access by IP address
3. Usage of SSH keys

Non-standard SSH Port:
First, let’s move SSH to a non-standard port. Edit your /etc/ssh/sshd_config file and look for the following line:

Change that to some other port – we’ll change ours to 2424 by commenting out the ‘Port 22’ line (it may already be commented out) and adding it just below.

Then, restart the sshd service:
(Make sure if you are running a firewall to open this port first!)

Now, when you ssh to your server, you will need to specify port 2424 (or whatever you used):

Limit by IP:
Next, let’s lock down ssh access by IP address. You really only should do this if you have a static IP address that doesn’t change. If you have a dynamic IP address you should skip this part.

If using just iptables for security on your server, you can block access (except from your IP) to the ssh port simply by typing this line as root (change xxx.xxx.xxx.xxx to your iP address and change dport from 2424 to whatever port you are using for SSH. Default is port 22).

If you have multiple IP addresses that you want to allow, run that command with each one.

Ok – so far we have changed the SSH port and we have locked it down to accept connections only from a certain IP address.

SSH Keys:
Next is my favorite one – locking down SSH access by only allowing login via SSH key.

First, on the PC that you are connecting from, generate an SSH key by typing the following at a prompt. You’ll want to be a regular user, not root.

If you like, you can accept all the default answers by hitting [ENTER] at the questions.

That command generated an SSH key so that you can drop the public part of it on any server that you want to connect to. Let’s copy it now and place it on the server!

(highlight/copy the string)

Now, let’s add it to the server. SSH into your server and create the structure for the key files:

Now, edit the new .ssh/authorized_keys file with your favorite editor (vim!) and paste the string from id_rsa.pub into it without leaving any extra spaces, then save it.

Log out of your sever and ssh back in again – look ma, you didn’t have to type your password!

This is only halfway done.. repeat the process of generating a key and pasting it into the authorized_keys file for all of the machines that you want to connect to your server…

Now, let’s tell the server to only accept ssh logins from machines with keys:
Edit the /etc/ssh/sshd_conf file again. Change PermitRootLogin from Yes to without-password, then change PasswordAuthentication from Yes to no.

Restart sshd:

Your server is now much more secure than it was when you woke up this morning!

Please comment below if you used this tutorial and let us know how it went!

Related posts from Linux Brigade!

  • Bash ShellShock bug – Find out if you’ve been “tested”Bash ShellShock bug – Find out if you’ve been “tested” We’ve seen the articles about how to find out if you’re vulnerable to the bash shellshock bug, we’ve also seen the articles on how to patch your system.  What I’ll show you is how to find […]
  • Reduce TIME_WAIT socket connectionsReduce TIME_WAIT socket connections Some time in your life you’ll run across an Apache server that always has tons of TIME_WAIT connections just seeming to hang out. While these don’t take up as many resources as an […]
  • Learn the CSF command line options You have CSF installed and use the GUI to do most things.  (If you don’t have it installed yet, you can read our article on how to install csf).  BUT – knowing the csf (ConfigServer […]
  • Install CSF/LFD Firewall on your Linux Server The first thing on your mind when setting up a new Linux server (dedicated or VPS) is how you can increase security.  One of the best tools in your bag of tricks should be the CSF […]
  • Lock down your phpMyAdmin access! There are a couple of ways that I lock it down.. I won’t get into specifics because I don’t want you (or you!) trying to find it, but I can’t count the number of times I’ve seen an old […]

No Comments

Be the first to start the conversation.

Leave a Reply

Text formatting is available via select HTML.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url=""> 

*