The instant a Linux server is connected to a public network it starts getting hit by attackers. There are people out there running programs constantly against IP ranges and they’ve hit your server today a number of times. You need to lock down your ssh access – we’ll show you a couple ways to do this!
First, let’s see who has tried logging into your server today. You can see failed logins by typing the command lastb:
|
1 |
lastb |
WHOA! That’s a long list right? Let’s show just the last 20 lines of it:
|
1 |
lastb -n 20 |
Ok, that’s a little more manageable. But, probably only showing one IP address with 20 attempts. Let’s get a better idea of what’s going on by using awk to show us the total for each IP in reverse sort order..
|
1 |
lastb |awk '{print $3}'|sort|uniq -c|sort -n |
Now, you can see the top offenders there at the bottom. The number on the left is their login attempts and the number on the right is their IP address.
Ok – now that you can see why you need to lock down access to your server, let’s get on with it!
Locking it down.
There are at least 3 popular actions that Linux administrators take when locking down SSH access.
1. Move the SSH port from 22 to something else
2. Limit SSH access by IP address
3. Usage of SSH keys
Non-standard SSH Port:
First, let’s move SSH to a non-standard port. Edit your /etc/ssh/sshd_config file and look for the following line:
|
1 |
Port 22 |
Change that to some other port – we’ll change ours to 2424 by commenting out the ‘Port 22’ line (it may already be commented out) and adding it just below.
|
1 2 |
#Port 22 Port 2424 |
Then, restart the sshd service:
(Make sure if you are running a firewall to open this port first!)
|
1 |
service sshd restart |
Now, when you ssh to your server, you will need to specify port 2424 (or whatever you used):
|
1 |
ssh user@yourserver.com -p 2424 |
Limit by IP:
Next, let’s lock down ssh access by IP address. You really only should do this if you have a static IP address that doesn’t change. If you have a dynamic IP address you should skip this part.
If using just iptables for security on your server, you can block access (except from your IP) to the ssh port simply by typing this line as root (change xxx.xxx.xxx.xxx to your iP address and change dport from 2424 to whatever port you are using for SSH. Default is port 22).
|
1 |
iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx --dport 2424 -j ACCEPT |
If you have multiple IP addresses that you want to allow, run that command with each one.
Ok – so far we have changed the SSH port and we have locked it down to accept connections only from a certain IP address.
SSH Keys:
Next is my favorite one – locking down SSH access by only allowing login via SSH key.
First, on the PC that you are connecting from, generate an SSH key by typing the following at a prompt. You’ll want to be a regular user, not root.
|
1 |
ssh-keygen |
If you like, you can accept all the default answers by hitting [ENTER] at the questions.
That command generated an SSH key so that you can drop the public part of it on any server that you want to connect to. Let’s copy it now and place it on the server!
|
1 |
cat ~/.ssh/id_rsa.pub |
(highlight/copy the string)
Now, let’s add it to the server. SSH into your server and create the structure for the key files:
|
1 2 3 4 5 |
cd ~ mkdir .ssh chmod 700 .ssh touch .ssh/authorized_keys chmod 600 .ssh/authorized_keys |
Now, edit the new .ssh/authorized_keys file with your favorite editor (vim!) and paste the string from id_rsa.pub into it without leaving any extra spaces, then save it.
Log out of your sever and ssh back in again – look ma, you didn’t have to type your password!
This is only halfway done.. repeat the process of generating a key and pasting it into the authorized_keys file for all of the machines that you want to connect to your server…
Now, let’s tell the server to only accept ssh logins from machines with keys:
Edit the /etc/ssh/sshd_conf file again. Change PermitRootLogin from Yes to without-password, then change PasswordAuthentication from Yes to no.
|
1 2 3 4 |
#PermitRootLogin yes PermitRootLogin without-password #PasswordAuthentication yes PasswordAuthentication no |
Restart sshd:
|
1 |
service sshd restart |
Your server is now much more secure than it was when you woke up this morning!
Please comment below if you used this tutorial and let us know how it went!
Related posts from Linux Brigade!
Install XenServer via usb flash drive USB Flash drives are getting cheaper and cheaper lately. I just picked up few at staples – 16GB flash drives for just under $8. I like to use them to install Linux – I always seem to […]
Migrate mail from one server to another with imapsync Have you been in the situation where you needed to move everyone’s mail from one provider to another? It’s a pain to do using the mail client one at a time, but with this guide, you’ll be […]
cPanel server – can’t send mail! If you are trying to send mail via webmail and it is not working out, you may have the answer right under your nose. If you have CSF installed, it is likely blocking port 25.
You may […]
Bash ShellShock bug – Find out if you’ve been “tested” We’ve seen the articles about how to find out if you’re vulnerable to the bash shellshock bug, we’ve also seen the articles on how to patch your system. What I’ll show you is how to find […]
CentOS 7 / RHEL 7 systemd commands By now, if you’ve played around with CentOS 7 (or RHEL 7), you’ve heard that there are now systemd commands you can start using to start, restart and stop various services. They still […]
