Making Linux Servers More Secure
Making Linux Servers More Secure ??
People often go ahead to create a Virtual Server (VPS) or Dedicated Server that’s accessible on the web, but they don’t specifically set up the security properly. At BitNinja, I do see attacks on the default port 22 (SSH) very often. Furthermore using public key authentication is a good way to make the hacker's life hard. While BitNinja can prevent brute-force attacks out of the box, setting up public key authentication is giving more security and you don't have to worry about forgetting your password.
It's a good practice to get a couple of the settings changed once you purchase your server. Plus it can be handy to any Linux user.
Today we will learn how to set up public key authentication, disable root user access and use a different port for the SSH server. Connect to your server the usual with the root user and your password.
??Creating your new user with sudo access
root@localhost:/# add user john
Enter a desired password (you will still need this when executing commands that required sudo privileges)
Add it to the sudoers
root@localhost:/# usermod -aG sudo john
Let’s open the SSH configuration file.
root@localhost:/# nano /etc/ssh/sshd_config
??Changing Port
Change the line # Port 22 to something else you prefer
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/shhd_config.d/*.conf
Port 2922
Make sure to open the new port in your firewall, otherwise, you will be unable to access your server (unless you have console access).
?Disabling Root Login
Change the line from # PermitRootLogin yes to no
# Authentication
# LoginGraceTime 2m
PermitRootLogin no
# StrictModes yes
?? Enabling Public Key Authentication
Change the line # PubkeyAuthentication yes and comment out AuthorizedKeysFile?
领英推荐
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in the future
AuthorizedKeysFile .ssh/authorized_keys
??Disabling Password Authentication
Change the line # PasswordAuthentication yes and # PermitEmptyPasswords no
# To disable tunneled clear text passwords,change no to here!
PasswordAuthentication no
PermitEmptyPasswords no
Save it with Ctrl + S and exit with Ctrl + X
Now let’s change our user to the previously created sudo user.
root@localhost:/# su john
john@localhost:/$
Now we can create the public key for the new fancy authentication. You may also protect the key with a passphrase for further security or if you don't want that, simply press enter until it’s done.
john@localhost:/$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/john/.ssh/id_rsa):
Created directory '/home/john/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/john/.ssh/id_rsa
Your public key has been saved in /home/john/.ssh/id_rsa.pub
The key fingerprint is:
....
They key's randomart image is:
....
Copy the public key from /home/john/.ssh/id_rsa.pub on your computer (where you will be accessing the server from) preferably to a file such as id_rsa.pub
?? Additionally, don't forget to add the public key to the authorized_keys file
john@localhost:/$ cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys
john@localhost:/$
Since we are already admins/sudo users, you can use the sudo prefix to execute commands that require more privileges.
With this in mind, let's restart the OpenSSH server.
Debian/Ubuntu
john@localhost:/$ sudo service sshd restart
CentOS/RHEL
sudo systemctl restart sshd.service
That's it, the next time we will learn how to connect to a server with public key authentication only.