Securing SSH [Very Basic Security] 07-28-2014, 01:06 PM
#1
(Appologies to @Oni for using him as an example)
In honor of 2 Years of Sinisterly, I'm creating a tutorial thread on securing on of the most commonly used services on your server: SSH. SSH (Secure SHell) is a protcol used maily for remote login to linux-type servers. If you have a linux-type OS running on a server, it almost always will have SSH installed. Because SSH is so common, and because it is used for remote logins, it is very important to secure.
Most SSH attack are carried out by bots, scanning IP address space for SSH servers. Once found, they attempt simple brute force attacks using commonly used usernames and passwords. Articles about these attacks can be found here and here. This tutorial will explain how to
Ok let's get started. For this tutorial, I'm running everything on a Digital Ocean VPS running Ubuntu 14.04. Commands for most other linux distributions should be similar, if not the same. If these commands don't work on your box, let me know in the comments.
First, you'll need to create the account you want to use
Oh, and I hope I don't have to mention that this password should be VERY complex?
![[Image: 0KLtzfJ.png]](https://i.imgur.com/0KLtzfJ.png)
Then, you'll need to edit the /etc/ssh/sshd_config file
![[Image: ga2qhhW.png]](http://i.imgur.com/ga2qhhW.png)
Then restart the ssh server with. This will log you out of the server. You can then log back in with your other account, and use the su command to attain root privileges. Now you (or an attacker) cannot access the server using the "root" account. Also, be sure to use an account name that is a bit harder to guess, and not "admin" or something like that.
Now to move the port. Moving the port not only protects you from automated attacks, but also fro targeted attacks, as the attacker cannot find the ssh port. I would suggest moving to a port higher than 1024, as most port scanners scan up to that port.
Again, this is a simple change: edit the "/etc/ssh/sshd_config" file, and change the port number. Than restart ssh with "/etc/init.d/ssh restart". And that's it. Be sure to remember what port you moved it to.
![[Image: NxgRaP4.png]](https://i.imgur.com/NxgRaP4.png)
And that's it. By doing these two simple fixes, you've protected yourself form 99% of SSH attacks. If you want to go farther, you can look into using ssh keys instead of passwords.
{Edit: I've expanded this guide to include using ssh keys}
SSH keys are a much better way to authenticate than passwords (I'm not going to go into pros and cons here). Suffice it to say that keys make it "impossible" to brute force a login. That being said, you'll still need to keep your keys secure.
Start by generating an ssh key with
![[Image: 6tpRx7w.png]](http://i.imgur.com/6tpRx7w.png)
Then copy the contents of the public key to the ssh allowed keys directory
You can then test to make sure that the key works by connection to localhost:
(If you've moved the SSH port, you'll need to specify the port with -p)
Now nearly everything is set up server-side, you'll need to be able to connect to the server with the new settings. You'll need to copy the id_dsa file to your computer. For this purpose I used sftp, but you can use any other method.
Now you need to convert the key to a form that putty can use. Download puttygen. Then import the key, then save as a private key.
![[Image: jHPH1GT.png]](http://i.imgur.com/jHPH1GT.png)
Then set Putty to use they key in the "auth" tab.
If the login works, you can go ahead and setup the sshd to only use keys. Edit /etc/ssh/sshd_config and make sure the following lines match:
Then restart the ssh daemon with
In honor of 2 Years of Sinisterly, I'm creating a tutorial thread on securing on of the most commonly used services on your server: SSH. SSH (Secure SHell) is a protcol used maily for remote login to linux-type servers. If you have a linux-type OS running on a server, it almost always will have SSH installed. Because SSH is so common, and because it is used for remote logins, it is very important to secure.
Most SSH attack are carried out by bots, scanning IP address space for SSH servers. Once found, they attempt simple brute force attacks using commonly used usernames and passwords. Articles about these attacks can be found here and here. This tutorial will explain how to
- disable root login
- move SSH to a non-standard port
Ok let's get started. For this tutorial, I'm running everything on a Digital Ocean VPS running Ubuntu 14.04. Commands for most other linux distributions should be similar, if not the same. If these commands don't work on your box, let me know in the comments.
First, you'll need to create the account you want to use
Code:
adduser Oni //Add the user you wish to add
//Fill in the rest of the info. The only thing that really matters is the passwordOh, and I hope I don't have to mention that this password should be VERY complex?
Then, you'll need to edit the /etc/ssh/sshd_config file
Then restart the ssh server with
Code:
/etc/init.d/ssh restartNow to move the port. Moving the port not only protects you from automated attacks, but also fro targeted attacks, as the attacker cannot find the ssh port. I would suggest moving to a port higher than 1024, as most port scanners scan up to that port.
Again, this is a simple change: edit the "/etc/ssh/sshd_config" file, and change the port number. Than restart ssh with "/etc/init.d/ssh restart". And that's it. Be sure to remember what port you moved it to.
And that's it. By doing these two simple fixes, you've protected yourself form 99% of SSH attacks. If you want to go farther, you can look into using ssh keys instead of passwords.
{Edit: I've expanded this guide to include using ssh keys}
SSH keys are a much better way to authenticate than passwords (I'm not going to go into pros and cons here). Suffice it to say that keys make it "impossible" to brute force a login. That being said, you'll still need to keep your keys secure.
Start by generating an ssh key with
Code:
ssh-keygen -t dsaThen copy the contents of the public key to the ssh allowed keys directory
Code:
cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keysYou can then test to make sure that the key works by connection to localhost:
Code:
ssh localhost -i .ssh/id_dsaNow nearly everything is set up server-side, you'll need to be able to connect to the server with the new settings. You'll need to copy the id_dsa file to your computer. For this purpose I used sftp, but you can use any other method.
Now you need to convert the key to a form that putty can use. Download puttygen. Then import the key, then save as a private key.
Then set Putty to use they key in the "auth" tab.
If the login works, you can go ahead and setup the sshd to only use keys. Edit /etc/ssh/sshd_config and make sure the following lines match:
Code:
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication noThen restart the ssh daemon with
Code:
/etc/init.d/ssh restart
Pay respects to the malformed SYN packet.
![[+]](https://sinister.ly/images/sinister2/collapse_collapsed.png)
![[Image: 7ajmN5P.jpg]](https://i.imgur.com/7ajmN5P.jpg)
