Ubuntu – How to secure the SSH access


So I have a VPS, and I have no idea how to administer it. I understand one of the first things to do is secure it, and the first concrete step in that direction I've found so far is in moshen's comment:

Also, you should secure your SSH access as soon as possible. I recommend changing the default port, using key-based authentication and disabling password authentication and root logins (basically create a standard user account for you to log in with)

So far, all I know how to do is use my VPS provider's web interface to open a console with root access. So how do I follow moshen's advice?

Best Answer

So I have a VPS, and I have no idea how to administer it.

That's the single biggest argument for managed hosting I've ever seen. Hacked servers are responsible for a large portion of the nonsense that makes the internet a bad place. Hosting phishing pages, spreading malware. If you're going to do this, I hope you do it properly.

To give you some sort of idea of the long term undertaking, I'd read through this: What Can Be Done To Secure Ubuntu Server? There are other questions like it on the site (dozens) with good answers but this one has some nice vast answers.

For SSH, I've been over all of these in long-form on my blog but the key points are:

  • Move it to another port. Something high, in the 10,000-60,000 range.
  • Install fail2ban.
  • Use key based authentication.
  • Disable password authentication.
  • Disable root login (make sure your user is in the admin group).
  • Make sure your user doesn't have a guessable name (eg admin).

Just moving the port will deflect 99.99% of drive-by hacking attempts. fail2ban will stop any brute attempts from being viable. Forcing key-based auth means the number of guesses a brute would take is now in the range of billions of billions. Disabling root login and having a harder-to-guess username means they don't even have a username with which to start bruting: they have to brute for the username before they even get to the password element.

This results in a fairly secure SSH server. There would have to be a pretty horrific exploit in it for people to get through it... But don't put all your focus on making the door as impenetrable as possible and then ignoring the open window.

  • Web applications (of all dynamic languages) are hackable. If you're using open source scripts, you need to keep on top of their updates.
  • A firewall should be stopping people getting to services that shouldn't be exposed to the internet (MySQL for example).
  • Otherwise secure services will let people right in if you're not applying patches to them (and restarting them after patching).
Related Question