Tutorial

Securing SSH login on your VPS/ Dedicated Server.

 

Malicious hackers are keen to gain access to your server. Powerful dedicated/ virtual servers, which are always on, form an important part of the hackers botnet arsenal. These botnets are used by the hackers for tasks ranging from bitcoin mining to the more malicious sending of Spam and engaging in Distributed Denial of Service attacks. Fortunately it isn’t all that difficult to prevent the bot scanners from gaining access to your server. Protecting my new hobbie project’s dedicated server took me less than 5 minutes.

What we are going to do is: create a sudo user, disable root login, and change the servers SSH port. This guide is intended for an Ubuntu/ Debian system, although commands can easily be found for CentOS and the like.

Small tip: You can paste anything into putty using the “right click” on your mouse.

    1. Login to SSH, using a program such as Putty, with your root login details.
    2. Create a new user (e.g. replace “username” with admin57 without quotes) with the command:                     #  sudo adduser “username”                                                                                                                                       You will be prompted for a password. Ensure that it is secure and that you take note of it.
    3. Give this user sudo permissions: # sudo adduser “username” sudo
    4. Using an editor (vi or nano) open up /etc/ssh/sshd_config e.g. with the command:                                        # nano /etc/ssh/sshd_config
    5. Near the top of the file, you should see Port 22 listed. Use the arrow keys to get to the text and change 22 to a random port number e.g. 7654. Note this down.
    6. Find (Ctrl W if you are using Nano) “PermitRootLogin Yes” and change it to “PermitRootLogin no”.
    7. Save and exit the editor (Ctrl X if you are using nano).
    8. Run the command: #service ssh restart

To gain access to your server, login to SSH as the new user (remember you also changed the port!). Then type “su” without quotes and press enter. Then enter your root password and you will gain root access.

My apologies for the formatting. :p I was attempting to create new lines in a list which Wordpress didn't seem to like.
S
  • S
    spork985
  • March 2, 2015
It's very important to note that if you're going to change the port, you also need to add a relevant rule to iptables. CentOS/RHEL (and I'm sure many others) are shipped with iptables on by default and will only accommodate SSH on port 22. If you don't allow the port in iptables, or shut it off completely, you'll lock yourself out after restarting sshd.
Great Article Sam! Thanks.
K
While moving the port and disabling root login is a good step, there are more ways to lock it down..

1. Don’t allow password login, just use keys
2. Limit access to your ssh port for just your IP(s) (iptables)
3. Use software like CSF/LFD to secure the server further and block possible intruders
K

This site uses Akismet to reduce spam. Learn how your comment data is processed.