Securing ssh on your server

Posted on July 26, 2009 | Category: Informational, Security, Server, bash

Accessing your Ubuntu Server box using ssh is very convenient and simple to do. However, if not secured properly, those nasty hackers can get into your world and cause you pain and grief. Here are a few tools and configuration options that will help secure your installation.

1) One of the first things to do is change the default ssh port from 22 to a port that is less traveled. Using Terminal, make a backup of your sshd_config file. Then, find the line that reads Port 22 and change it to an arbitrary port number. Check this site (http://www.iana.org/assignments/port-numbers) before you select a port to make sure that another service is not operating on that port.

cd /etc/ssh
sudo cp sshd_conf cp_sshd_conf
sudo vi sshd_conf

Make sure that you open up your firewall and Port Forward your router with the port and machine you desire to access

2) I have had tremendous success with a program in the apt-get repositories called fail2ban. This really simple program allows you to configure allowed ip’s for a particular server (ssh, courier, etc…) and more importantly, how many access attempts are allowed before that ip is blocked. Install faill2ban and edit the configuration file to reflect your ssh preferences.

cd /etc/fail2ban
sudo cp jail.conf jail.local
sudo vi jail.local

I configured my fail2ban for global restrictions. An example configuration might include ignoring your internal ip as a potential blocked address. The bantime is noted in seconds. An example configuration is found below.

# ssh
ignoreip = 127.0.0.1 192.168.1.105 123.123.123.123
bantime  = 990600
maxretry = 3

Changing your default ssh port will throw off the majority of your ssh attacks. However, if your password is weak even the most random ssh prot assignment can be hacked. Passwords should not be a dictionary word and should include special characters. For example, think about a using an acronym ofthe first 2 letters of each perosn in your family with some special characters included (no, this is not my password schema!).For additional and more technical ssh tricks, take a look at this nixCraft article.

Similar Articles

• » Splunk 4 Analytics: installation and first Impressions
• » Wordpress 2.9 available for download
• » MySQL v.5.5 now scales to 32 cores with performance gains
• » Windows 7 RC Review
• » The White House releases a free iPhone app

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

CAPTCHA Code

Notify me of followup comments via e-mail