Tag Archive for Security

Securing SSH on your server

May 11, 2010 Open Source No comments

I have been set­ting up a num­ber of Cen­tos servers over the last few months, and some­thing that I’ve needed to do over and over again is secure SSH. It is actu­ally quite sim­ple to do, and by fol­low­ing the steps below you’ll really make sure that your server is a lot more secure than the default configuration.

The first step is to dis­able root login.  The root user­name is pre­dictable, and pro­vides com­plete access and con­trol over your sys­tem. To lock it down, edit the /etc/ssh/sshd_config file, and set Per­mit­Root­Lo­gin as follows:

Per­mit­Root­Lo­gin no

The next thing that I like to do is change the port num­ber that SSH lis­tens on. To do this, edit the /etc/ssh/sshd_config file as follows:

Port 21000

The port num­ber that you choose is of course up to you, I have just used 21000 as an exam­ple here.

The last, and most com­plex step in secur­ing SSH is to gen­er­ate keys, and then dis­able pass­word authen­ti­ca­tion. Most peo­ple, myself included unfor­tu­nately, use a Win­dows desk­top, so the steps below are for this type of setup.

  1. If you haven’t already done so, cre­ate a user on the server that you will be using in the future.
  2. Log in as that user. I have used a user called admin.
  3. Run ssh-keygen on the server. The out­put will look as follows:

    4. augusta ~/.ssh: ssh-keygen

    Gen­er­at­ing public/private rsa key pair.

    Enter file in which to save the key (/home/admin/.ssh/id_rsa):

    Enter passphrase (empty for no passphrase):

    Enter same passphrase again:

    Your iden­ti­fi­ca­tion has been saved in /home/admin/.ssh/id_rsa.

    Your pub­lic key has been saved in /home/admin/.ssh/id_rsa.pub.

    The key fin­ger­print is:

    90:92:2e:7b:14:86:66:qa:b9:6f:a4:9f:0e:g2:06:11 admin@augusta

    Accept the default loca­tions that it sug­gests, and select a strong passphrase.
  4. It has now cre­ated two files, id_rsa, the pri­vate key, and id_rsa.pub, the pub­lic key. The pub­lic key needs to be added to theauthorized_keys file. If that file doesn’t already exist in ~/.ssh then cre­ate it with touch authorized_keys. Then exe­cute cat id_rsa.pub » authorized_keys.
  5. The last, and very impor­tant step on the server is to change the per­mis­sions on that file with chmod 600 authorized_keys
  6. Now you need to copy the pri­vate key to your Win­dows desk­top to cre­ate the Putty key. SCP is the best way to do this, so you can run   pscp –P 21000 sysadmin@augusta:/home/admin/.ssh/id_rsa C:\
  7. Open PUTTYGEN.EXE
  8. Select File->Load Pri­vate Key
  9. Browse for id_rsa and select it
  10. When it prompts you, enter the passphrase.
  11. You can change the com­ment on the key. A good idea is to use your email address.
  12. Now press save pri­vate key, and save it to your hard drive.

That’s it, now in your Putty con­nec­tion, be sure to use the port num­ber you chose ear­lier, and in the SSH->auth sec­tion select the key you just cre­ated. Under the Connection->Data sec­tion I also like to enter the Auto-login user­name which saves a bit of time when connecting.

The last step on the server is to dis­able pass­word authen­ti­ca­tion, ONCE YOU HAVE TESTED THAT YOUR KEY’S WORK. Again edit /etc/ssh/sshd_config as fol­lows:

Pass­wor­dAu­then­ti­ca­tion no

Now restart SSH with sudo /etc/init.d/sshd restart and you are all done!