How to secure SSH

Facebook
Twitter
LinkedIn

SSH provides remote access to the command line interface of your server.  Via this interface you have full control over your server the services and sites hosted on it.  If a hacker gets access to your server via ssh then they have full control – it needs to be secured.

There are several ways that ssh access can be secured.  This blog post is based on how we secure our servers which are based on Ubuntu and Plesk Oynx.

You will need to be able to ssh to your server, Mac users can use the ssh command, PC users will need to download an ssh client such as Putty.

Create a root user

You still need remote access via ssh to your server so we need to create an account.

  1. Log onto your server via ssh: ssh root@hostname or IP
  2. Enter the command adduser newusername
  3. Enter a secure password and confirm
  4. You will then prompted to enter some additional details, this is optional
  5. Now we need to add the user to the sudo users group, this the group that allows root access, enter the command usermod -aG sudo newusername
  6. Test the user, enter the command su – newusername
  7. Enter the command sudo ls -la /root (this is only accessible to a root user)
  8. Enter the password for newusername
  9. If you have created the new user correctly this command will execute correctly.

Disable remote root login

The next step will prevent root from being able to login remotely via ssh.  You will still be able to use root from a console session or the physical server screen:

  1. ssh to the server using the new user name
  2. Open the ssh configuration file with your preferred file editor: nano /etc/ssh/sshd_config
  3. Find the line #PermitRootLogin No and change to PermitRootLogin No
  4. Save the file
  5. Restart the ssh service with the command sudo service ssh restart

Change the SSH port

Note: you must remember if you have a firewall setup you need to update this allow access, check with your provider that you can change the default port.  Also remember that if you have multiple servers talking to each other via port 22 you will need to update these.  If you are not comfortable or confident that this change will not affect your access or infrastructure then  skip this step and implement the additional security steps below.

The default port for SSH is 22, to improve security you could change this to something different:

  1. Decide on the new port number for ssh
  2. Configure any firewall that you have setup to allow this port through
  3. Open the ssh configuration file with your preferred file editor: nano /etc/ssh/sshd_config
  4. Find the line #22
  5. Remove the # and change the port to the port number you have choosen
  6. Save the file and restart the ssh service with the command service ssh restart

Additional Security

Static IP Address – Limit access to ssh via Plesk Firewall

If you have a static IP then you can limit ssh to the IP of your internet connection via the Plesk Firewall Extension, this blog assumes you have already followed the 4 Steps to secure your Plesk Sever

  1. Login to your Plesk Control Panel
  2. Click on Tools & Settings
  3. Click Firewall
  4. Click Modify Plesk Firewall Rules
  5. Click SSH (Secure Shell) Server
  6. Select Allow from selected sources, deny from others
  7. Enter your IP address
  8. Click Add
  9. Repeat for all the IP addresses you want to allow access from
  10. Once you have added all the IP addresses click OK.
  11. Click Apply Changes
  12. Click Activate

You will now only be able to access your server by SSH from the IP addresses you entered.


Secure Access via Duo

If you do not have a static IP you can add an additional layer of security to ssh using Duo.  Duo is a 2 Factor Authentication Service that provides 2FA to a range of applications and services.  Even if you have a static IP we recommend you add this additional layer of security.  First you will need to head over to https://duo.com and create a free account and carry out the steps below.

  • Create a user with the same name as the user you have setup for ssh access and follow the instructions to setup notifications.
  • Modify the global settings so that for New Users to Deny access to unenrolled users.
  • Click Protect an Application and select Unix, leave this screen open and carry out the steps below on your server.
  1. ssh to your server
  2. Enter the following command: nano /etc/apt/sources.list.d/duosecurity.list
  3. Enter the text deb http://pkg.duosecurity.com/Ubuntu trusty main
  4. Save and close the file
  5. Enter the following command: curl -s https://duo.com/APT-GPG-KEY-DUO | sudo apt-key add –
  6. Install the Duo software with the command: sudo apt-get update && sudo apt-get install duo-unix

Once the application is installed we need to configure it with the information from Duo:

  1. Edit the configuration file: sudo nano /etc/duo/login_duo.conf
  2. Enter the Integration Key, Secret Key and API hostname as required
  3. Save the file and exit
  4. Edit the ssh configuration file: sudo nano /etc/ssh/sshd_config
  5. Add the following line to the end of the file: ForceCommand /usr/sbin/login_duo
  6. Save the file and exit
  7. Set the permissions on the login_duo.conf file: sudo chmod 600 /etc/duo/login_duo.conf && sudo chown sshd /etc/duo/login_duo.conf
  8. Test by typing: login_duo if all is working you will see something similar to the screen shown below:
  9. Enter you should receive a push notification to your phone, approve the login
  10. If all works ok, restart the ssh service: sudo service ssh restart
  11. Logout and now every time you login you will be prompted via your 2FA.

SSH access to your server is now secured.  You have disabled remote access by the root access and either implemented restricted access based on IP and or 2 factor authentication.  Securing your server is only one of the ways that you should secure your server, remember to keep your server up to date and backed up.

All the servers we setup and manage have 2FA implemented on ssh and are kept up to date and backed up – if you need any help or advise on securing your Plesk server do not hesitate in contacting us.  If your provider is not implementing these services for you, or is not able to provide them for you – then contact us.

Contact Us

More to explorer

Leave a Reply