If you are servers are been scanned by automated scripts who are trying to break into your system and cracking passwords, you better protect yourself. Here are some simple methods that you can implement to help secure ssh. There is nothing unique about the suggestions They can be found in any number of places but you can never hear the information enough.
First of all you want to further secure your sshd_config file. OpenSSH has done a good job on doing this for you when problems are found, but it is always good to check anyway. Sshd_config is usually found in /etc/ssh/. You will want su to root and edit this file with your favorite editor be it emacs, vi, or whatever you prefer. Now you want to scan the file for the following line:
If the line says PermitRootLogin no, then you are already safe from root logins and you can skip to the next line to search for; otherwise change the yes to no. You should never log in as root in the first place. Always log in with a user account and use the su command to do anything root oriented.
Now you want to look for these lines:
# AllowUsers yourusrnames
Make sure that they say yes for strictmode and no for the permit line. What this does is causes sshd to check file modes and ownership of the user’s files that are logged in to avoid misuse of accidentally world-writable files created by your users. PermitEmptyPasswords specifies whether the server allows login to accounts with empty password strings. The defaults should already be correct but again, always check. Never take security for granted.
Some things you can add to your sshd_conf file that might be beneficial to your security are the following lines:
AllowUsers user1 user2
DenyUsers user3 user4
If you don’t want to narrow it down to users, you can always use AllowGroups and DenyGroups.
Change the Port Number
Most cracking attempts on your ssh server come from automated scripts that tirelessly scan the net for ssh daemons and attempt to break in. The thing is that these scripts make a very large assumption, namely that your ssh server is running on port 22/tcp. That can be used to your advantage. If you switch the port that ssh runs on by changing the following line in sshd_config: for ex. change the port number to 2995.
… or (better yet) use port forwarding to make it appear to run on a different port to the outside world, you can dramatically decrease the number of automated attacks you see on a daily basis. After we made the switch away from port 22, the number of attacks were dropped to zero.
The other method for securing your SSHD server is to utilize the hosts.allow and the hosts.deny file in your /etc directory. You can do this or a specific IP address, an entire range of addresses, and so on. Again, using your favorite editor, open each of the files and you can use the following examples as guides:
The final method is using the IPtables firewall to block incoming traffic to your server from unwanted locations and allow it from places you want. You will want to su to root and simply issue the commands from the example, replacing them with the addresses that you want.
# All connections from address 220.127.116.11 to SSH (port 22)
iptables -A INPUT -p tcp -m state –state NEW –source 18.104.22.168 –dport 22 -j ACCEPT
# Deny all other SSH connections
iptables -A INPUT -p tcp –dport 22 -j DROP
Remember to save your changes to the configuration file.
Red-hat example: /sbin/service iptables save
Debian example: /etc/init.d/iptables save
If you have used any combination of these steps or even better, you can start to rest a lot easier at night knowing you are that much safer. Well no, you are never 100% safe, but the more you secure your system the fewer people there are with enough knowledge to do damage. Please check our server security plans on how our experts can safeguard your servers against malwares and viruses.