First step: Secure your SSH

One of the first step towards securing your server is to limit the attack points as I already mentioned here. How ever SSH is one of the most important service if you are managing your server remotely, so definitely you can shutdown this service in case you can access your machine physically (then you can shut down the SSH service)

The first good thing that you can do regarding SSH is to enable password less authentication.

SSH Protocol

First thing that you need to check with your SSH is the protocol you are currently using, their are currently two protocols

  • Protocol 1
  • Protocol 2

Most linux distribution now a days ship with Protocol 2 already enabled (which is what we actually want), how ever you can use the command below to check which protocol you are using:

cat /etc/ssh/sshd_config |grep Protocol

It will either print out  Protocol 1 or  Protocol 2 , if its Protocol 2, then you are good to go.

If not then you can use your favorite editor, to edit the  file, I will use vi editor, and run the following command

vi /etc/ssh/sshd_config

Now find the line which says

Protocol 1

And change it to -> Protocol 2, and restart your ssh service using:

service sshd restart

Now you are on protocol 2 and good to go.

SSH Port

Ports are like doors to the home, ports are open gates on your server, and by default SSH works on port 22, so if some one is trying to access or hack your server, they will connect to SSH port 22. Changing your port may not protect you from all hacking attempts since port scanning can be used to map your open ports. How ever it will make it a little hard for the hacker, so lets find out what port SSH is currently listening on (if you have not changed then most probably it will be 22).

cat /etc/ssh/sshd_config |grep Port

Change port

To change your SSH port, again you need to modify the same file, find these lines

#Port 22
#AddressFamily any
#ListenAddress ::

and change it to

Port 5550
#AddressFamily any
#ListenAddress ::

Your new SSH port will be 5550,  now while connecting to your SSH, you need to use ‘p’ flag to specify the custom port, using the command below

ssh -p 5550 [email protected]

Disable Root Login

Don’t disable root login if you don’t have any other user on your machine yet, first make sure that you have another user on your machine that can access ssh.

Then you can edit the same file, find the line  PermitRootLogin yes and change it to  PermitRootLogin no .

Disable authentication using password!

If you already have password less authentication in place, as I mentioned in the start of this post. Then their is no point of allowing login via password, you can stop authentication using password altogether.

Find the line  PasswordAuthentication yes and change it to  PasswordAuthentication no .

Please note that if you do not have password less authentication in place and you disable access through password, you might be locked out of your machine, in case you can not access it physically, so make sure before making this change.

Leave a Reply

Your email address will not be published. Required fields are marked *