This guide explains how to secure your SSH Server on Ubuntu to help prevent unauthorised users (hackers) accessing your server.
You should already have an SSH Server installed and running if you don’t install one now with:
apt-get install ssh
Now before I start you maybe wondering “Who would want to break into my SSH Server?” the answer is more than likely a Bot. Bot’s scan subnets of boxes with high bandwidth or those on government ranges (to look cool on IRC when then have a reverse DNS with something like nasa.gov or .mod). Once the Bot has compromised your machine it is added to a large network of other compromised computers which is controlled by the “Hacker”, the machines are then “normally” used to DDOS other sites offline, if you can Imagen the power of say 1000 hacked servers with 100 Mbp connections to the internet bombarding TCP connections at another server on the Internet, the result is downtime. The web server is overloaded with requests and the server is rendered useless causing you frustration, money, time, pain and a possible sacking. So bottom line secure your SSH Server and any other services for that matter and make sure you keep your servers up to date!
Scare tactics
Still not convinced? You might be interested in seeing if your SSH Server has been attacked by crackers / hackers:
Use lastdb to quickly see last login attempts:
lastb
To see the top 5 most attacked accounts:
lastb | awk '{print $1}' | sort | uniq -c | sort -rn | head -5
Top 5 Attacker IP Addresses:
awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $3}' /var/log/secure* | sort | uniq -c | sort -rn | head -5
Securing SSH Server on Ubuntu
Ok So now your worried about the amount of attack attempts on your server here is the guide.
Secure passwords, simple don’t have weak passwords on your server, don’t base them on dictionary words, do use number and a combo of upper and lower case letters. I personally don’t like special characters in passwords as they have been known to cause problems…
Install “DenyHosts” amazing program that watches the /var/log/secure logfile for invalid ssh login attempts, and if a configurable threshold is crossed, they are automatically blocked by being added to /etc/hosts.deny. Install denyhosts, and optionally edit the good default configuration in /etc/denyhosts.conf, you might want to allow certain local users a higher incorrect password limit before blocking, I have had some problems with this in the past, I won’t name names, you know who you are! To install DenyHosts:
apt-get install denyhosts
Change the SSH port, security by obscurity, but it defiantly works my web servers were getting blasted with attackers on port 22. To change the port edit: /etc/ssh/ssh_config and edit the line
“Port 22″
to something else, i wouldn’t use 2222 as everyone else picks that port! (creative sysadmins?)
Allow only SSH Protocol 2 open “/etc/ssh/ssh_config” and change the following:
#Protocol 2,1
Protocol 2
Disable root logins, edit ssh_config:
PermitRootLogin no
Limit the maximum number of unauthenticated connections that the ssh server will handle at the same time. The smaller this is, the harder it is for script kiddies to make parallel, coordinated cracking attempts with multiple connections. edit sshd_config and change MaxStartups from the default of “10″ to “3:50:10″. The colon separated values tells the ssh server to, “allow 3 users to attempt logging in at the same time, and to randomly and increasingly drop connection attempts between 3 and the maximum of 10″. Note: this should be increased on servers with substantial numbers of valid ssh users logging in.
#MaxStartups 10 MaxStartups 3:50:10
Reduce the maximum amount of time allowed to successfully login before disconnecting. The default is 2mins I change my servers to 20 seconds, who takes 2 mins to login?
#LoginGraceTime 2m LoginGraceTime 30
Allow only specific users to login, if you only want Stan, Kenny,Cartman and all user names starting with “mr” to login:
AllowUsers stan, kenny, cartman, mr*
You can do the same with groups, make a “sshusers” group and add your ssh users to it, then edit the ssh_config:
AllowGroups sshusers
Allow only users from certain IP addresses to connect. Before allowing specific IPs, the default policy must first be set to DENY to be effective. edit /etc/hosts.deny and add the following line:
sshd: ALL Next add to /etc/hosts.allow the networks you want to allow. For example, to allow all 254 hosts on the class C network “192.168.1.*”, all 16million hosts from the class A network “10.0.0.0″, and the lonely IP 24.42.69.101, you would add the following to /etc/hosts.allow:
sshd: 192.168.1.0/255.255.255.0 sshd: 10.0.0.0/255.0.0.0 sshd: 24.42.69.101
Use keys instead of password auth, this will completely stop password crackers!
PasswordAuthentication no
By default SSH listens on all IP’s if you only need it on 1 IP:
ListenAddress 10.0.1.50
Please share using the links below, and above the post! Feel free to drop me a comment.
