Surpass Web Hosting Forums - View Single Post

**Aric** · November 8th, 2004, 1:27 PM

Several customers have asked about how to keep your server's secure, particularly access via SSH. This post will try to explain how best to do that.

First off, let me say, no matter what you do, keeping your root password complex and constantly changing is extremely important.

After this if I see ANY of you with the default root password we set on your server, I will drive/fly to where you live and slap you silly, understand? SAY NO TO DEFAULT ROOT PASSWORDS.

There are two ways to change your password:

In WHM: Log into WHM as root, click CHANGE ROOT PASSWORD, type in your new password (be careful and double check it, you are only asked 1 time), and submit the new password.
Via SSH: Log into your server directly as root (don't SU to root). Type:
Code:
```
passwd
```
Type your new password 2x. Note: You won't see anything when you are typing. This is Geek Security, just press ENTER when done. If you type it correctly 2x it will be immediately changed.

OK, so now you have a nice, long, alphanumeric password that also contains special characters (-,!,#, etc.) and some random upper- and lower-case characters and isn't based on ANY words found in a dictionary.

Don't forget to change your root pass regularly! (Once a month is probably good, or more often if you think you need to do so.)

If any of you have done some research on the subject of Linux security, you're probably aware that "experts" reccomend that when it comes to SSH security you:

Disable root SSH login altogether
Change the IP address that SSH is bound to (answers on)
Change the port SSH is bound to
Make sure SSH only uses v2 of the SSH protocol (more secure than v1)
Create a user, add them to the wheel group and have that user SU to root

This will certainly make your server safer. However, there are a few drawbacks to all that, which I'll get into later, as well as another method of securing SSH access that is less problematic and even safer than SU to root.

Most of the changes listed above can be accomplished just by editing a single file. To start, just log into your server via SSH as root and type the following:

Code:

pico -w /etc/ssh/sshd_config

Welcome to the SSHD (SSH Daemon) config file!

In case you don't know this, any line that begins with a "#" is COMMENTED (which means it is ignored, it's typically used for comments, hense the name).

You should see a block that looks something like this near the top of the filw

Code:

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0

This is most of what we need to change to make the magic happen.
Uncomment the first line #Port 22 (remove the #). Now change this to any unused port, try to stay away from obvious choices like 222, 2222, 1234, etc. Also, if you are running APF (and you SHOULD BE), you will also need to edit the conf.apf file later to add whatever port you just chose to the ALLOWED ports (ingress/egress) and restart APF later. Don't forget or you will lock yourself out of SSH!

Now uncomment the second line. All you need to do here is remove the ",1" at the end of the line, so it looks like:

Code:

Protocol 2

Now for the third line. Uncomment it. Change 0.0.0.0 to any IP address that is assigned to your server that IS NOT CURRENTLY BEING USED for any other purpose (for maximum security).

Scroll down until you see the following lines:

Code:

#LoginGraceTime 120
#PermitRootLogin yes
#StrictModes yes

Uncomment the second line, and change "yes" to "no"
Also uncomment the next line (StrictModes).

Scroll down a little further for one last change:

Code:

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

Uncomment the second line.

Now save the file. To do that, press CTRL-X, Y, ENTER.

Before we restart anything, we need to add a user to be in the wheel group (this will be the account that can SU to root later). Type:

Code:

useradd -g wheel -s /bin/bash -p passwordhere newusername

change "passwordhere" to the password you want to use for the account, no spaces. Change "newusername" to whatever you want to call this new super user. IT CANNOT BE A USERNAME ALREADY USED BY AN ACCOUNT IN CPANEL. This is for the best security-wise anyway.

Don't forget this password and make it a SECURE one!

If all has gone well, you can now restart SSH and test it out. PLEASE MAKE DOUBLY SURE YOU DIDN'T MAKE ANY MISTAKES BEFORE RESTARTING SSHD Also, make sure to edit conf.apf if you have APF installed to add the new SSH port.

To restart it type:

Code:

service sshd restart

Now log into SSH using the new, IP ADDRESS, SSH port number and log in as your super user.

Once in, you now have to SU to root, type:

Code:

su

and type in the root password for your server.
You will now have most of the powers that the root user has (with a few exceptions).

When you want to log out, type "exit" 2x.

Congratulations, your server is much safer now.

However, there are a few things to consider:

SUing to root makes your server much safer, but you aren't out of the woods. A good hacker, if they got your root password could STILL get into your server directly as root. All they need to do is log into WHM as root, change the root password, create an account, add that user to the wheel group, SU to root, modify sshd_config to allow root logins and relogin as root with the new root password. They then remove your SU account and you're locked out and your server is now "0nw3d" lucky you.
Changing the IP address is good (especially if it is not used for anything else on your server). However, hackers are wise to this trick. They also know that it is rare that a server has completely randomly chosen IPs. They are usually in a block, so if the main server address is 111.111.111.111, the server probably has all its available IPs in a block, 111.111.111.112, .113, etc. so they will often test all the IPs if the main one doesn't work.
Changing the port is good, but you might as well not bother if you are going to pick something obvious like 222, 2222, 1234, etc. Hackers test the obvious ports first.
Sure you are safer, but you have to admit, doing all of this properly would be tough for YOU to remember if you need to get in. Further, if your wheel account isn't working or the password is changed and you can't get into WHM you're sunk. There has to be a better way... and there is. Read on.

There is another way to access root directly WITHOUT permitting someone to log in via the root password.

The secret is using public/private keys. You will create a public/private key pair, upload the public key to your server, and keep the private key on your personal computer (don't put your private key on any computer that you share with anyone else, for safety).

If you don't understand what a public/private key is and how such encryption works, visit pgp.com to learn more about it.

How do we do this SSH key thing?

Let's back up to the point where we were first editing the sshd_config file earlier.

Code:

pico -w /etc/ssh/sshd_config

Go ahead and change the IP address and port if you want to.

Scroll down until you see the following lines:

Code:

#LoginGraceTime 120
#PermitRootLogin yes
#StrictModes yes

Uncomment the second line and change "yes" to "without-password"

Code:

PermitRootLogin without-password

Edit the rest of the file as mentioned the first time.
Save the changes.
DO NOT RESTART SSHD, we still have work to do.

If you are running Windows, you probably use Putty to access SSH on your server. As it happens, Putty comes with a key generator you can use. If you don't use Putty and your SSH client can't create keys, then you can use PGP (free or paid version) to create a key pair, but you will have to edit it so it is a single line (rather than block) and contains the appropriate header info. If you use a Mac with Mac OS X, you've already got a key generator installed on your computer.

Note: For security I recommend that if you already use keys for other purposes (sending/receiving mail, etc.) that you still create a NEW key pair just for SSH with a completely different password.

Generating a Key Pair Under WINDOWS Using Putty:

Look in the directory where Putty is installed, you should see a program called PuttyGen.exe If you don't see it, download a copy here: http://www.chiark.greenend.org.uk/~s.../download.html
Use PuttyGen to create a public/private key pair. USE THE LARGEST BIT VALUE POSSIBLE (4096) this will create the strongest, most secure key pair. It DOES take a while to generate, but you only need to do it ONE time, so DON'T SKIMP! Trust me on this, go take your Ritalin and go play outside for a while while we still have some nice weather in this hemisphere.
Make sure the private key password is VERY secure. It is a PAIN to replace. That being said, make sure you don't forget it either... or you will need a tech's help to get back into your server via SSH.
PuttyGen will allow you to copy your public key to the clipboard now. Do so.
Switch to your currently running SSH session in Putty. Skip past the Mac/Linux directions below and go to the section on installing your key on your server.

CONTINUED, NEXT POST

November 8th, 2004, 1:27 PM	#1 (permalink)
Aric Just Some Guy.. Comfy Contributor Joined in Oct 2003 127 posts Gave thanks: 0 Thanked 5 times	SSH and Security Several customers have asked about how to keep your server's secure, particularly access via SSH. This post will try to explain how best to do that. First off, let me say, no matter what you do, keeping your root password complex and constantly changing is extremely important. After this if I see ANY of you with the default root password we set on your server, I will drive/fly to where you live and slap you silly, understand? SAY NO TO DEFAULT ROOT PASSWORDS. There are two ways to change your password: In WHM: Log into WHM as root, click CHANGE ROOT PASSWORD, type in your new password (be careful and double check it, you are only asked 1 time), and submit the new password. Via SSH: Log into your server directly as root (don't SU to root). Type: Code: passwd Type your new password 2x. Note: You won't see anything when you are typing. This is Geek Security, just press ENTER when done. If you type it correctly 2x it will be immediately changed. OK, so now you have a nice, long, alphanumeric password that also contains special characters (-,!,#, etc.) and some random upper- and lower-case characters and isn't based on ANY words found in a dictionary. Don't forget to change your root pass regularly! (Once a month is probably good, or more often if you think you need to do so.) If any of you have done some research on the subject of Linux security, you're probably aware that "experts" reccomend that when it comes to SSH security you: Disable root SSH login altogether Change the IP address that SSH is bound to (answers on) Change the port SSH is bound to Make sure SSH only uses v2 of the SSH protocol (more secure than v1) Create a user, add them to the wheel group and have that user SU to root This will certainly make your server safer. However, there are a few drawbacks to all that, which I'll get into later, as well as another method of securing SSH access that is less problematic and even safer than SU to root. Most of the changes listed above can be accomplished just by editing a single file. To start, just log into your server via SSH as root and type the following: Code: pico -w /etc/ssh/sshd_config Welcome to the SSHD (SSH Daemon) config file! In case you don't know this, any line that begins with a "#" is COMMENTED (which means it is ignored, it's typically used for comments, hense the name). You should see a block that looks something like this near the top of the filw Code: #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 This is most of what we need to change to make the magic happen. Uncomment the first line #Port 22 (remove the #). Now change this to any unused port, try to stay away from obvious choices like 222, 2222, 1234, etc. Also, if you are running APF (and you SHOULD BE), you will also need to edit the conf.apf file later to add whatever port you just chose to the ALLOWED ports (ingress/egress) and restart APF later. Don't forget or you will lock yourself out of SSH! Now uncomment the second line. All you need to do here is remove the ",1" at the end of the line, so it looks like: Code: Protocol 2 Now for the third line. Uncomment it. Change 0.0.0.0 to any IP address that is assigned to your server that IS NOT CURRENTLY BEING USED for any other purpose (for maximum security). Scroll down until you see the following lines: Code: #LoginGraceTime 120 #PermitRootLogin yes #StrictModes yes Uncomment the second line, and change "yes" to "no" Also uncomment the next line (StrictModes). Scroll down a little further for one last change: Code: # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no Uncomment the second line. Now save the file. To do that, press CTRL-X, Y, ENTER. Before we restart anything, we need to add a user to be in the wheel group (this will be the account that can SU to root later). Type: Code: useradd -g wheel -s /bin/bash -p passwordhere newusername change "passwordhere" to the password you want to use for the account, no spaces. Change "newusername" to whatever you want to call this new super user. IT CANNOT BE A USERNAME ALREADY USED BY AN ACCOUNT IN CPANEL. This is for the best security-wise anyway. Don't forget this password and make it a SECURE one! If all has gone well, you can now restart SSH and test it out. PLEASE MAKE DOUBLY SURE YOU DIDN'T MAKE ANY MISTAKES BEFORE RESTARTING SSHD Also, make sure to edit conf.apf if you have APF installed to add the new SSH port. To restart it type: Code: service sshd restart Now log into SSH using the new, IP ADDRESS, SSH port number and log in as your super user. Once in, you now have to SU to root, type: Code: su and type in the root password for your server. You will now have most of the powers that the root user has (with a few exceptions). When you want to log out, type "exit" 2x. Congratulations, your server is much safer now. However, there are a few things to consider: SUing to root makes your server much safer, but you aren't out of the woods. A good hacker, if they got your root password could STILL get into your server directly as root. All they need to do is log into WHM as root, change the root password, create an account, add that user to the wheel group, SU to root, modify sshd_config to allow root logins and relogin as root with the new root password. They then remove your SU account and you're locked out and your server is now "0nw3d" lucky you. Changing the IP address is good (especially if it is not used for anything else on your server). However, hackers are wise to this trick. They also know that it is rare that a server has completely randomly chosen IPs. They are usually in a block, so if the main server address is 111.111.111.111, the server probably has all its available IPs in a block, 111.111.111.112, .113, etc. so they will often test all the IPs if the main one doesn't work. Changing the port is good, but you might as well not bother if you are going to pick something obvious like 222, 2222, 1234, etc. Hackers test the obvious ports first. Sure you are safer, but you have to admit, doing all of this properly would be tough for YOU to remember if you need to get in. Further, if your wheel account isn't working or the password is changed and you can't get into WHM you're sunk. There has to be a better way... and there is. Read on. There is another way to access root directly WITHOUT permitting someone to log in via the root password. The secret is using public/private keys. You will create a public/private key pair, upload the public key to your server, and keep the private key on your personal computer (don't put your private key on any computer that you share with anyone else, for safety). If you don't understand what a public/private key is and how such encryption works, visit pgp.com to learn more about it. How do we do this SSH key thing? Let's back up to the point where we were first editing the sshd_config file earlier. Code: pico -w /etc/ssh/sshd_config Go ahead and change the IP address and port if you want to. Scroll down until you see the following lines: Code: #LoginGraceTime 120 #PermitRootLogin yes #StrictModes yes Uncomment the second line and change "yes" to "without-password" Code: PermitRootLogin without-password Edit the rest of the file as mentioned the first time. Save the changes. DO NOT RESTART SSHD, we still have work to do. If you are running Windows, you probably use Putty to access SSH on your server. As it happens, Putty comes with a key generator you can use. If you don't use Putty and your SSH client can't create keys, then you can use PGP (free or paid version) to create a key pair, but you will have to edit it so it is a single line (rather than block) and contains the appropriate header info. If you use a Mac with Mac OS X, you've already got a key generator installed on your computer. Note: For security I recommend that if you already use keys for other purposes (sending/receiving mail, etc.) that you still create a NEW key pair just for SSH with a completely different password. Generating a Key Pair Under WINDOWS Using Putty: Look in the directory where Putty is installed, you should see a program called PuttyGen.exe If you don't see it, download a copy here: http://www.chiark.greenend.org.uk/~s.../download.html Use PuttyGen to create a public/private key pair. USE THE LARGEST BIT VALUE POSSIBLE (4096) this will create the strongest, most secure key pair. It DOES take a while to generate, but you only need to do it ONE time, so DON'T SKIMP! Trust me on this, go take your Ritalin and go play outside for a while while we still have some nice weather in this hemisphere. Make sure the private key password is VERY secure. It is a PAIN to replace. That being said, make sure you don't forget it either... or you will need a tech's help to get back into your server via SSH. PuttyGen will allow you to copy your public key to the clipboard now. Do so. Switch to your currently running SSH session in Putty. Skip past the Mac/Linux directions below and go to the section on installing your key on your server. CONTINUED, NEXT POST