Change the default SSH port
Many attacks are automated on servers that use the default port 22 for the SSH service. To avoid these attacks, it makes sense to use a five-digit port for SSH.
The instructions apply to most Linux distributions with default configuration. Individual commands may differ and, if necessary, additional packages have to be installed.
Log in to your vServer and look at the file /etc/ ssh/sshd_config with any text editor:
$ vi / etc / ssh / sshd_config
In the file you will find the entry „Port“:
#Port 22 <-
Remove the hash to activate the entry and choose any five-digit port:
Port 54321 <-
Save the file and restart the SSH service.
$ service sshd restart
Note that you must now always specify the port when connecting.
Alternative authentication methods
Passwords are often easy to guess. Often, these are simply dictionaries that try different passwords. It is best to always use the strongest possible passwords, or even better: a public-key authentication:
In this example, we use RSA keys with a length of 4096 bits. According to current status, this opens up a sufficient degree of security.
First of all, an RSA key pair must be generated on your own computer. With Linux, you can easily do this with the following command:
$ ssh-keygen -t rsa -b 4096
Here it makes sense to first deposit both keys under ~/.ssh /
Of course with Windows there is also the possibility to create a key pair, for example with the program PuTTYgen. This is often installed with PuTTY.
Subsequently, the public part of the key pair, the „public key“ must be deposited on the appropriate user on the server. You can just copy & paste this.
Get the content of the generated public key file and copy the output:
$ cat ~/.ssh/id_rsa.pub
The symbol „~“ (tilde) always stands for the current home directory. For the user „root“ this is /root/ for other users e.g. „user“ by default /home/user /
On Windows you do the tilde with Alt-Gr & „+“ on Mac with Alt & „n“! (Tried with a German keyboard layout, may differ on other layouts)
Paste the content on your vServer into the ~/.ssh /authorized_keys file.
The authentication method still has to be changed in the file /etc/ssh/sshd_config.
$ vi /etc/ssh/sshd_config
If necessary, the selected entries must be modified so that they correspond to the example:
RSAAuthentication yes <-
AuthorizedKeysFile .ssh/authorized_keys <-
To disable tunneled clear passwords, change to no here!
PasswordAuthentication no <-
UsePAM no <-
Then the file is saved and the SSH service is restarted:
$ service sshd restart
When you want to connect via SSH, you have to make sure that the private key file is stored in your home directory under ~/.ssh/id_rsa - With programs like PuTTY there are also the possibilities to deposit the private key.
Prevent root login and sudo
The worst scenario that could happen to you: An attacker gains access to your vServer through the root user. The root user has unlimited permissions under Linux and thus has full control over the Linux system. One way to prevent this is to generally forbid the root user to connect to the server via ssh.
- Create new user
In general, it is recommended not to work permanently with the user „root“ under Linux. Due to the unrestricted permissions, mistakes can often have fatal consequences and cause a lot of trouble. It is always best to create a user with limited permissions. In this case we create the user „user“. Under Debian and Ubuntu this is quite simple with the command:
$ adduser user
For other distributions, you can, for example, use the following command:
$ useradd -s / bin / bash -m user
To switch to the user, use the following command:
$ su - user
If you have not yet created a password when creating the user, first set a password:
$ passwd user
- sudo install
In order to be able to execute commands with the new user, which you can only execute as root, you can use the program „sudo“. You can install this on all popular Linux distributions via the package manager, in Debian / Ubuntu as follows:
$ apt-get install sudo
You have to make the installation as „root“. If you have previously changed the user, use „exit“ to get back to „root“.
Now add the new user to the group „sudo“. You can use the following command to do this:
$ usermod -G sudo user
The user now has the same rights as the user root with the preceding command „sudo“ and subsequent password entry. So switch to the new user and execute a command as „super-user“ as follows:
$ sudo echo „hello world“
Prevent root login
Now that you have created an alternate user that you are working with, you can completely ban the ssh login for root. Most dictionary/rainbow attacks target the user „root“ or other common system users. If you have already disabled the SSH login via password authentication, you should also enter your public key in your new user as described in the „Alternative authentication methods“ manual.
To deny login via ssh for „root“, change the following entry in /etc/ssh/sshd_config:
PermitRootLogin no <—
Then restart the ssh service:
$ service sshd restart
If you still want to work with the root user after logging in via SSH, you can use „sudo -i“ to switch to the root user via sudo or alternatively „su - root“.
Detect and block suspicious activity
Often, attackers try to hijack a vServer by guessing the password. To detect and prevent these attempts, you can, for example, use the intrusion prevention system „fail2ban“. The program uses log files to detect conspicuous access attempts and blocks the corresponding IP addresses.
You can install fail2ban on all popular Linux distributions via the package manager. For Debian & Ubuntu, for example, with the following command:
$ apt-get install fail2ban
The package may have been automatically installed on your server before. For fail2ban you usually need at least one firewall. In most cases, iptables is already preinstalled on your Linux distribution, otherwise you can install it with the following command:
$ apt-get install iptables
You start fail2ban after installation with the command:
$ fail2ban-client start
Afterwards you can check the status of the jails. Usually the jail „ssh“ is already preconfigured and active. Check the status of „ssh“ with:
$ fail2ban-client status ssh
Here you see failed login attempts via ssh and possibly banned IP addresses. You can customize the configuration of the jails in the respective jail.conf, e.g. the duration of the ban and the number of failed login attempts until the ban.
For more information, see the man-page for fail2ban with the following command
$ man fail2ban-client
or visit the page http://manpages.ubuntu.com/manpages/xenial/man1/fail2ban-client.1.html