Domains
Hosting
cPanel Hosting Plesk Hosting cPanel Reseller Plesk Reseller WordPress Hosting WooCommerce Hosting
Servers
VPS Server Windows VPS Dedicated Servers

Securing SSH on Ubuntu 14.04

After you create a new server, there are some configuration tweaks that you should make to harden the security of your server.

Create A New User

As the root user, you have the privileges to do anything that you want with the server – no restrictions. Because of this, it is better to avoid using the root user account for every task on your server. Let’s start by making a new user. Replace username with the desired user name:

adduser username

Choose a new secure password and respond to the questions accordingly (or just hit ENTER to use the default value).

Giving The User Root Privileges

New user accounts don’t have privileges outside of their home folder and cannot run commands that will alter the server (like installupdate, or upgrade). To avoid the use of the root account, we will give the user root privileges. There are two ways of doing this:

Adding A User To The Sudo Group

The easy way is to add the user to the sudo group. Replace username with the desired user name:

adduser username sudo

This will add the user to the sudo group. This group has the privilege of running the commands with sudo access.

Modifying The Sudoers File

The other way is to put your user in the sudoers file. If your server has multiple users with root privileges, then this approach is somewhat better because if someone messes with the sudo group, you will still be able to run commands with root privileges to work on the server.

First, run this command:

visudo

This will open the sudoers file. This file contains the definitions of groups and users who can run commands with root privileges.

root    ALL=(ALL:ALL) ALL

After this line, write your user name and grant it full root privileges. Replace username accordingly:

username    ALL=(ALL:ALL) ALL

Save and close the file (Ctrl + O and Ctrl + X in nano).

Testing Your New User

To log in to your new user account without logging out and logging, simply call:

su username

Test sudo permissions using this command:

sudo apt-get update

The shell will ask for your password. If sudo was configured properly, then your repositories should be updated. Otherwise, review the previous steps.

Now, log out of the new user:

exit

Sudo setup is complete.

Securing SSH

The next part of this guide involves securing the SSH login to the server. First, change the root password:

passwd root

Choose something hard to guess, but that you can remember.

SSH Key

SSH keys are a safer way to log in. If you are not interested in SSH keys, skip to the next part of the tutorial.

Use the following AKLWEB HOST Doc to make an SSH key: How Do I Generate SSH Keys?

After you get your public key, log in with your new user again.

su username

Now, make the .ssh directory and the authorized_keys file in the home directory of that user account.

cd ~
mkdir .ssh
chmod 700 .ssh
touch .ssh/authorized_keys

Add the public key that you generated from the other tutorial to the authorized_keys file.

 nano .ssh/authorized_keys

Save the file, then change the permissions of that file.

chmod 600 .ssh/authorized_keys

Return to the root user.

exit

SSH Configuration

Now we will make the SSH daemon more secure. Let’s start with the config file:

nano /etc/ssh/sshd_config 

Change SSH inbound port

This step will change the port used to access the server; it is entirely optional but recommended.

Find the line with the Port config, it should look like this:

Port 22

Now, change this port to any port that you want. It must be greater than 1024.

Port 4422

Disable root SSH login

This step will disable root login through SSH, it is entirely optional but highly recommended.

Find this line:

PermitRootLogin yes

… and change it to:

PermitRootLogin no

This will make the server more secure against bots that try brute force and/or common passwords with user root and port 22.

Disable X11 Forward

This step will disable X11 forwarding, don’t do this if you use some remote desktop program to access your Server.

Find the X11 line:

X11Forwarding yes

… and it changed to:

X11Forwarding no

 Restart the SSH daemon

Now that we made the changes to secure the SSH Login, restart the SSH service:

service ssh restart

This will restart and reload the server settings.

Testing Changes

Without disconnecting your current ssh session, open a new terminal or PuTTY window and test another SSH login.

ssh -p 4422 username@SERVER_IP_OR_DOMAIN

If everything checks out, we have successfully hardened the security of your Server. Enjoy!

We use cookies to personalize your experience. By continuing to visit this website you agree to our use of cookies

More