How do I improve my OpenSSH security on my node?
Introduction
OpenSSH is a very useful tool for remote Linux administration by Stake Pool Operators. However, it's also a very popular attack vector for outside threats.
This answer is based on LearnLinuxTV's video on 3 Important Tweaks for Improving OpenSSH Security on Your Cloud Instance:
To demonstrate why we would want to harden the ssh on our server all we need to do is check the multiple attempts various third-party actors run to break into the server. To check a log of the attempts to break in all you need to do is execute the following command after logging into your server:
sudo cat /var/log/auth.log |grep root
It is unlikely that your server will have no failed attempted logins by third-party actors who may be deliberately or inadvertently trying to login to your server. Usually as the root
user.
How do go about securing our server?
Step 1 - SSH with root
login
SSH into your server as the root user:
Or log in without an ssh client via the browser console provided by your VPS if you cannot access this publicly. Please check your VPS provider's FAQ or help section on how to log in as the root user their way.
ssh root@your_server_ip_address
Step 2 - Add a New User and Check Permissions
We need to create a new system user with admin privileges to avoid having the problem of logging yourself as root
user during your setup.
This step can be followed at this link (an answer already made on this site): https://cutt.ly/zkrNgly
Step 3 - Add ssh
Key to Your New User
If you are still logged in as root switch over to the new user you created:
su - johnny
Remember to substitute johnny for whatever name you used as the new user on your system.
Let's check what files and folders (including hidden ones) reside in our home directory
cd ~
ls -al
It is most likely after creating your new user that there will not be a .ssh
directory. This directory is the folder that will hold our ssh keys in a specific file called "authorized_keys
". We create the directory and edit the authorized_keys
file.
mkdir .ssh
cd .ssh
nano authorized_keys
Now, copy-paste your SSH key into the file and CTRL+O
to write the file out and CTRL + X
to close the file.
Step 4 - Disable root
User Login
sudo nano /etc/ssh/sshd_config
This file will open with various parameters for our SSH configuration. One of them includes the "PermitRootLogin" parameter. We want to change that parameter from "yes" to "no".
OUTPUT EXAMPLE:
-----------------------------------------------------------------------------------------------------------------
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
-----------------------------------------------------------------------------------------------------------------
ETC...
Change the parameter to look like this
PermitRootLogin no
For this change to take effect you need to restart the ssh service
sudo systemctl restart ssh
Then check the ssh status
sudo systemctl status ssh
Step 5 - Disable Password Authentification
Make sure you have verified that you can log in using ssh authentication before continuing on this step!
sudo nano /etc/ssh/sshd_config
Change the parameter #PasswordAuthentication yes
to this PasswordAuthentication no
. Remember to remove the "#" hash prepend and change "yes
" to "no
".
Close the file and then restart ssh again.
sudo systemctl restart ssh
Step 6 - Change SSH Port from 22 to Another Port Number
sudo nano /etc/ssh/sshd_config #change ssh port 22 to something else
sudo systemctl restart ssh
sudo systemctl status ssh
For example, change the parameter from #Port 22
to Port 9509
.
Remember to remove the "#" hash prepend when editing this parameter!
You can check that the port is correctly configured:
sudo netstat -tulpn |grep ssh
If netstat does not work you can install it using this command:
sudo apt install net-tools
If you are interested, you also check all ports that are open on your server using this command:
sudo netstat -tulpn
Step 7 - Optional step. Restrict Users on System
sudo nano /etc/ssh/sshd_config #change AllowUsers to include the usernames you restrict to log on
Edit sshd_config to include a line that restricts which users can log on. For example: AllowUsers johnny
sudo systemctl restart ssh
sudo systemctl status ssh
Be careful with this step as if you mistype the allowed users you will be locked out of your server definitively!
You can always check to see what has been going on regarding the login sessions on your server using this command
sudo cat /var/log/auth.log
Links used in this answer:
- LearnLinuxTV tutorial: https://www.youtube.com/watch?v=xVW1fGRlRkE
-
How do I create a new sudo-enabled user on my linux system: https://cutt.ly/zkrNgly
This answer was published on 02 February 2021
Shortcut link to this page:
https://cutt.ly/ekdK4BP
No Comments