How to Secure your SSH on a Linux server

MooseLucifer

Well-known member
Registered
Joined
May 20, 2016
Messages
149
Points
28
All the way in this thread are edited in the file /etc/ssh/sshd_config, after fixed then restart SSH with the command:
Code:
service sshd restart
1. Change SSH port

Default SSH Server will use port 22 to receive the connection, and it is the port that the scanner is always targeted to a brute force attack. Therefore, do not use the default port 22 change to a different port, such as 5879. Also note that the port number must be less than or equal to 4 digits and should not conflict with other port was used by other software.

To change the SSH port, you find:

Code:
#Port 22
Leaving comments and replaced 22 of the port you want to use

Code:
Port 5879
2. Do not sign in with the root user

The root user is always very sensitive, so if possible, use a different user to log in and then use the su command to switch to root user.

Note: Please set a password for the root user first. Keep in mind is whether you can use SSH Key and do not allow login with a password, but when switching users then it is still using normally

The first is create a user

Code:
useradd forumwebhosting
And set the password for this user:

Code:
passwd forumwebhosting
If you want to use SSH key for this user, log on to the server with the user has just created and create SSH Key for it

The next is the configuration does not allow root login to the user, by opening the file /etc/ssh/sshd_config and find:

Code:
#PermitRootLogin yes
Edit it to

Code:
PermitRootLogin no
Finally adding this at the end of the file to allow the user forumwebhosting log into SSH:

Code:
AllowUsers forumwebhosting
And from now when you can log on SSH with a user forumwebhosting and type su command, enter the root password to switch to the root user. The downside is this does not apply to SFTP.

3. Only allow SSH login from a fixed IP

If you use dynamic IP, then do not try this, but if you have a static IP address, it is possible to combat the illegal login. Just insert the following in:

Code:
ListenAddress 123.45.678
Beside these ways, I am looking forward to hearing your ways that you are applying to secure your Linux server.
 

macklong

Active member
Registered
Joined
Jun 17, 2016
Messages
67
Points
0

CrazeHostBee

Member
Registered
Joined
Jul 2, 2016
Messages
17
Points
3
One quick tip, ask the server provider to disable ping so it would have high chance to avoid any bruteforce bots.
 

ValeriaMxc

New member
Registered
Joined
Oct 12, 2012
Messages
12
Points
0
ValeriaMxc
Where can I disable ping on my VPS server?

This piece of information is useful to me.
 

Maxoq

Well-known member
Registered
Joined
Feb 25, 2015
Messages
520
Points
28
Maxoq
Method 1:

If you use iptbables then run this

Code:
iptables -A OUTPUT -p icmp --icmp-type 8 -j DROP
or

Code:
iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP
Method 2:

This disables ping responses, in the case you use the script then adding following line to your init script

Code:
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
To reenable, use the following command:
Code:
echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all
To make this permanent set the following into /etc/sysctl.conf

Code:
net.ipv4.conf.icmp_echo_ignore_all = 1
 

Marc A

Well-known member
Registered
Joined
Jun 14, 2016
Messages
125
Points
18
Thanks for this post it helped me a lot get a better understanding.
 
Older Threads

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top