I have a personal forum running on a small dedicated server, I've purchased cpanel so I use it frequently, but I'm interested in securing SSH, I'm not a server administrator at all, I have a small management plan included with the server from where I purchased the server from... I've already changed the ssh port, but I'd like to disable Root, for example, also I'd like to allow only connections through private key, and only jailed-ssh through normal user/pass connections,
How can I do that? It's all a bit confused about that in cPanel .. I'm running Centos 5.5, so any suggestion is well received, thanks!..
Change Default SSH Port
In /etc/ssh/sshd_config, comment out "Port 22" and add a new entry
eg: Port 4412
One common security precaution that system admins use is to set ssh to listen on a non-standard port (e.g. port 9989, 9898, etc). It is common for hackers to attempt ssh daemon exploits that tend to be very specific to the version of openssh that is running. By having sshd listen to a different port, instead, then you are reducing the risk of a general port 22 scan and hack. Changing port is an additional layer of security. Although this is a kin to security by obscurity, it can let you completely avoid many script attacks.
Before disabling the direct root login create a user and add it in to
usermod -g wheel username
Comment out "PermitRootLogin yes" in /etc/ssh/sshd_config and add,
now you can ssh to server with this user and switch to root
The reason I asked if you have WHM is that you only stated "I've purchased cpanel so I use it frequently" - no mention about WHM. I didn't know if you have a reseller setup or not.
Apologies for any confusion.
At this stage don't worry to much about disabling root login(although I have and you might later on)
In WHM - Security Center - SSH Password Authorization Tweak;
Disable Password Auth
(now you can only ssh into your server with a key)
In WHM - Security Center - Manage rootís SSH Keys;
You need to setup your keys.
If you havn't got it, download winSCP(it's free) and putty and in WHM - Plugins use "ConfigServer Security&Firewall".
If you only allow key logins the chances of your server getting hacked is extremely small(better chance of winning the lotto 3 times in a row).
Then you can also setup your server to only allow YOU to login to port 2083, 2087, etc through a browser interface.(even if you have an ip at home that changes every time you use the net)
I remember trying to figure this one out in the begining.
If you need a step by step let me know.
I have a few questions regarding these security measures:
- Would the ssh authentication through keys also affect sub cpanel users with jailed ssh access? they would need to create ssh keys, right?.
- What is the difference of performing su / sudo instead of direct root access? in any case if the "hacker" attacks the su user, he will gain access to the machine..
And finally, are all these measures taken by webhost companies? I ask because of two things:
- Personally I'd like to know if these measures are common in the industry...
- I do host only one personal website, but as a web designer, I have a few sites hosted on the same server, and one user needs jssh access to manage his scripts, so anyway I'd like to know how to secure the environment..
1. Everyone will have to use keys to access the server.
2. It provides an extra layer of security because an attacker would have to compromise both the normal account's password as well as root's password.
3. These are very common but not widely used in shared servers that allow ssh access.
4. There are a lot of ways to chroot users, http://www.google.com/search?q=chroot%20shell%20users
Regarding 2. that's true!, I forgot that su requires root password, duh!
That's right. First an attacker would need to be able to log in as an unprivileged user, but this wouldn't immediately give the attacker root access. This can make a big difference.
With sudo that I had also mentioned, things are a bit different compared to su, as sudo asks for the invoking user's password, not for the root password. So sudo is best combined with SSH public key authentication, so that users need to supply a valid key for the initial login and their password when they want to escalate their privileges.
A nice thing about sudo, compared to su, is that it allows to delegate certain administrative tasks to certain users without the need to give them unrestricted root access. That's useful if certain users need to be able to execute just a few commands with root privileges.
█ CoderJosh | Web Application Developer and Linux Server Admin
█ Web & Mobile App Coding | Troubleshooting | Tuning | Hardening | SysAdmin Services