Securing SSH on Linux Part 1

Update: Rather embarrassingly I forgot to include restarting sshd. Also I have edited my formatting of the commands shown.

When you first set-up your Linux VPS the chances are that you are told to log in as ‘root’ directly, possibly even using a password like ‘123456’!

The steps in this two part tutorial should be enough to protect you against brute force attacks against SSH. Please note that it assumes you are familiar with the Linux shell and have already assigned a host name to your VPS.

First login to your sever and change the root password using:

user@localhost:~ $ ssh root@remotehost
root@remotehost:~ # passwd

As explained in XKCD a good password is long but easily memorised. My approach is to use song lyrics with around fifty letters.

Next create a new user account to log for logging into your VPS. In this case the user is called admin but you can name it whatever you like.

root@remotehost:~ # useradd -m admin

Then assign this account its own password. This must be different to the password you gave to root.

root@remotehost:~ # passwd admin

To find out which user group is allowed to gain root privileges use:

root@remotehost:~ # visudo

The line you are looking for will be something like:

%sudo ALL=(ALL) ALL

In the event that there is no such line add it in and then create a corresponding user group:

root@remotehost:~ # groupadd sudo

(Feel free to substitute sudo with another name so long as you use it consistently).

Then add your new user into the group:

root@remotehost:~ # usermod -aG sudo admin

Now configure sudo to require the root password in to give root access.

Go back into visudo and make the following change:

Defaults targetpw

Note: If your VPS is running OpenSuse or SLES this has already been done for you.

At this point you will have to to restart the SSH daemon, however the exactly which of the following is used to do this depends on your choice of Linux distribution:

user@remotehost:~ $ sudo service sshd restart

or:

user@remotehost:~ $ sudo systemctl restart sshd

Where sshd may be replaced with, ssh, open-ssh or open-sshd.

Test that everything works so far attempting to log out, log back in and then become root:

root@remotehost:~ # exit
user@localhost:~ $ ssh admin@remotehost
admin@remotehost:~ $ sudo -i

Assuming all of the above has worked it is now time to disable directly logging in as root. Edit the SSH daemon configuration file using:

root@remotehost:~ $ vi /etc/ssh/sshd_config

Find the line that reads

PermitRootLogin yes

and change it to

PermitRootLogin no

Finally restart the SSH daemon again.

At this point you have already made a drastic improvement to your security but you can do better by using public key authentication as I will explain in part 2.

By Ryan McCoskrie

Founder of the Hurunui Tech Club Creator of Vicinitude President of the Leithfield Public Library

Leave a comment