Linux servers are usually maintained and managed by admins remotely. This remote communication naturally comes with some vulnerabilities as the traffic occurs over unsecured public networks. Luckily, this may be covered by the use of the SSH, or Secure Shell, protocol. A method used for secure and encrypted communication and file transfer over unsecured networks. SSH has become native across most systems, including most recent Windows versions, but it has been a mainstay of Linux computers and servers for a long time now.
Having said that, there are still a few things which admins can do to tweak their servers and make them more secure. IN this tutorial we’re going to take a look at a few options, their effects and how to implement them. This is by no means a concise list of all security measures that may be taken nor does it elaborate on other third-party applications which can help beef up server security. It is, however, an excellent place to start if security is a concern for you and you’d like to sleep just a little bit easier.
Public-private key authentication
Using passwords for SSH authentication is potentially insecure by itself. Access may be gained via a brute force attack in which password attempts are repeated by a script until the correct password is generated. If a user has a weak password then the server may be vulnerable. An effective solution is to supplement password usage with public-private key authentication.
- Generate SSH keys
- To generate keys, run the command:
cd /.ssh ssh-keygen -t rsa
Note: If there is no .ssh folder on your computer then you may have to create one.
- Press Enter at each question prompt.
- Two files will be produced.
- The public key file:
id_rsa.pub
- The private key file:
id_rsa
- The public key file:
- To generate keys, run the command:
- Create SSH folder on Server (if not already present)
- Log into the remote server and review the directory tree for a
/.ssh
folder - If it is not present, create it with the following command:
mkdir -p ~/.ssh/
- Log into the remote server and review the directory tree for a
- Store the Public Key file on your server
- Enter the following command in your local Terminal to copy your newly generated public key file to your server:
scp ~/.ssh/id_rsa.pub [username]@{server-ip-address]:~/.ssh
- You will be prompted for your password
- Type your password and hit Enter.
- Enter the following command in your local Terminal to copy your newly generated public key file to your server:
- Update You Public Key file
- You will need to change the filename and permissions of the public key file. You can do this by entering the following in the remote SSH session:
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys chmod 700 .ssh chmod 600 .ssh/authorized_keys rm .ssh/id_rsa.pub
- The file id_rsa.pub should now be called authorized_keys and the file, and it’s containing folder, /.ssh, should now be modifiable.
- You will need to change the filename and permissions of the public key file. You can do this by entering the following in the remote SSH session:
- Test your login
- Log out of the SSH session
- Initiate a new SSH session
- Disable Password Authentication
- Locate the sshd_config file (usually found in the ssh folder)
- Open the file for editing and add the following lines:
#Disable password authentication forcing use of keys PasswordAuthentication no
- If these lines are already present then you may only need to remove the “#” before the second line and/or change yes to no.
- Save and close the file.
- Log out of SSH session.
- Log back in to SSH session.
If you have achieved access to the remote server without requiring a password then you have successfully implemented this solution.
Re Configure idle timeout interval
An unattended SSH session is a potential security risk. It’s best to keep this as reasonably short as possible by reducing the timeout interval.
- Log into your server
- Locate and open sshd_config file
- Add the following lines:
ClientAliveInterval 300 ClientAliveCountMax 0
- This will implement an idle timeout interval of 5 minutes (300 seconds). If the session is left idle for 5 minutes the user will automatically logged out.
- Save and close the file.
- Log out of SSH session.
- Log back into session and leave idle to test.
The setting was successfully implemented if you are logged out after 5 minutes of non-usage.
Disable empty passwords
Empty or null passwords are a hacker’s delight as all they require are the usernames. It is best to configure your server to disallow such passwords.
- Log into your server
- Locate and open sshd_config file
- Add the following line:
PermitEmptyPasswords no
- Save and Close the file.
- Attempt to change your password to an empty password.
If you are prevented from doing so then this security measure has been successfully implemented.
Limit Users with SSH access
Not every user needs to access the server via SSH. IN fact, the list of users who should have that kind of access are very small. Do yourself a favour and limit it to only those who need that kind of access.
- Log into your server
- Locate and open sshd_config file
- Add the following line:
AllowUsers [user1] [user2]
- Include the usernames of the users and separate them with a single space
- Restart the SSHD service by typing in the following command:
service sshd restart
- Log out of the SSH session.
- Attempt to login with another user account which you have access to BUT is not included on the AllowUser list.
If you are unable to log in then you have successfully implemented this security measure.
Only use the SSH 2 protocol
There are two versions of the SSH protocol: 1 and 2. SSH 2 is far more robust and secure AND it is backward compatible with SSH. That being the case, there is really no need to allow for the use of its less secure older sibling protocol.
- Log into your server
- Locate and open sshd_config file
- Add the following line:
Protocol 2
- This line may already be present. You may simply have to remove the “#” and the “1”.
- Restart the SSHD service by typing in the following command:
service sshd restart
Use a different (non-default) port
The default SSH port, port 22, is regularly scanned for open SSH servers. That being the case, it would be well advised to change the SSH port which your server communicates on to another port.
- Log into your server
- Locate and open sshd_config file
- Add the following lines:
#Run SSH on a non-standard port Port 2099 #Change me
- It is advised that you avoid ports such as 222 or 2222 as these ports are regularly scanned by hackers as well as the default port.
- Restart the SSHD service by typing in the following command:
service sshd restart
Check out the top 3 VPS services:
KamateraHostingerWebdock- Do you need the best VPS? Read about our different offers.