Monday, June 16, 2008

How to further Secure your Server for SSH
is the name of your server that is available on the Public Internet to you from your local machine using SSH
although SSH in itself is a secure protocol to use as it encrypts the user names and passwords, to further protect your server from brute force attacks as well as to insure that even if a hacker decrypts the user name and password of your connection he will still not be able to take over your machine with admin privileges follow these steps.

since port scanning is so easy to do, i do not recommend bothering changing your default ssh port to another port, it will take a hacker all of 1 millisecond to find out what port you have changed to.

create a Private / Public Key pair on the computer that you use that you want to connect from
to do this type ssh-keygen
you will get the following response
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
hit enter to have your keys saved in /root/.ssh/ directory (this directory will be off the home directory of the user that you were when you ran the ssh-keygen command in my case i was the root user
next you will be asked if you want to create a pass phrase for the key
Enter passphrase (empty for no passphrase):
here you can enter a password , remember this password is for the key (should your local computer be compromised and someone steals your private key, they will still need to know what the password is)
or you can leave the password out, it is useful to leave the password out if you are using this technique to automate an ssh connection for the purpose of file transfer using a cron job ill explain how to do that in another posting)
once the key is created you need to transfer the public key to your which after all is the server you want to secure. To do that enter the following
ssh-copy-id -i root/.ssh/
were root/.ssh/ is the folder were your keys were saved to.
the ssh-copy-id command will transfer the public key to your server and save it into the correct folder,
you could manually use scp to copy the key accross but ssh-copy-id does it all for you and puts the key were it should be.

now you will be able to connect to your server without logging in, once connected to your server you need to edit your /etc/ssh/sshd_config file use your favourite editor to edit this file and add the stanza PermitRootLogin no
save your file, and then reload the sshd service by typing /etc/init.d/sshd reload this will load in the new settings from now on you have to connect to your server over ssh using a standard user account, once you are on the server you can sudo to the root user to perform admin tasks, the reason why we do this is in case a hacker decrypts the secure ssh password he will still only have access to a non privileged user account which is better than if they were to compromise your server with your admin password.

No comments: