Ubuntu – How to secure the SSH access

ssh

So I have a VPS, and I have no idea how to administer it. I understand one of the first things to do is secure it, and the first concrete step in that direction I've found so far is in moshen's comment:

Also, you should secure your SSH access as soon as possible. I recommend changing the default port, using key-based authentication and disabling password authentication and root logins (basically create a standard user account for you to log in with)

So far, all I know how to do is use my VPS provider's web interface to open a console with root access. So how do I follow moshen's advice?

Best Answer

So I have a VPS, and I have no idea how to administer it.

That's the single biggest argument for managed hosting I've ever seen. Hacked servers are responsible for a large portion of the nonsense that makes the internet a bad place. Hosting phishing pages, spreading malware. If you're going to do this, I hope you do it properly.

To give you some sort of idea of the long term undertaking, I'd read through this: What Can Be Done To Secure Ubuntu Server? There are other questions like it on the site (dozens) with good answers but this one has some nice vast answers.

For SSH, I've been over all of these in long-form on my blog but the key points are:

Move it to another port. Something high, in the 10,000-60,000 range.
Install fail2ban.
Use key based authentication.
Disable password authentication.
Disable root login (make sure your user is in the admin group).
Make sure your user doesn't have a guessable name (eg admin).

Just moving the port will deflect 99.99% of drive-by hacking attempts. fail2ban will stop any brute attempts from being viable. Forcing key-based auth means the number of guesses a brute would take is now in the range of billions of billions. Disabling root login and having a harder-to-guess username means they don't even have a username with which to start bruting: they have to brute for the username before they even get to the password element.

This results in a fairly secure SSH server. There would have to be a pretty horrific exploit in it for people to get through it... But don't put all your focus on making the door as impenetrable as possible and then ignoring the open window.

Web applications (of all dynamic languages) are hackable. If you're using open source scripts, you need to keep on top of their updates.
A firewall should be stopping people getting to services that shouldn't be exposed to the internet (MySQL for example).
Otherwise secure services will let people right in if you're not applying patches to them (and restarting them after patching).

Related Solutions

Ubuntu – Create a new SSH user on Ubuntu Server

Edit (as root) /etc/ssh/sshd_config. Append the following to it:

Port 1234
PermitRootLogin no
AllowUsers jim

Port 1234 causes SSH to listen on port 1234. You can use any unused port from 1 to 65535. It's recommended to choose a privileged port (port 1-1024) which can only be used by root. If your SSH daemon stops working for some reason, a rogue application can't intercept the connection.

PermitRootLogin disallows direct root login.

AllowUsers jim allows user jim to login through SSH. If you do not have to login from everywhere, you can make this more secure by restricting jim to an IP address (replace 1.2.3.4 with your actual IP address):

AllowUsers jim@1.2.3.4

Changes to the configuration file /etc/ssh/sshd_config are not immediately applied, to reload the configuration, run:

sudo service ssh reload

Best Answer

Related Solutions

Ubuntu – Create a new SSH user on Ubuntu Server

Related Question