Aric

Several customers have asked about how to keep your server's secure, particularly access via SSH. This post will try to explain how best to do that.

First off, let me say, no matter what you do, keeping your root password complex and constantly changing is extremely important.

After this if I see ANY of you with the default root password we set on your server, I will drive/fly to where you live and slap you silly, understand? SAY NO TO DEFAULT ROOT PASSWORDS.

There are two ways to change your password:

• In WHM: Log into WHM as root, click CHANGE ROOT PASSWORD, type in your new password (be careful and double check it, you are only asked 1 time), and submit the new password.
• Via SSH: Log into your server directly as root (don't SU to root). Type:
  
  Code:

  passwd

  Type your new password 2x. Note: You won't see anything when you are typing. This is Geek Security, just press ENTER when done. If you type it correctly 2x it will be immediately changed.

OK, so now you have a nice, long, alphanumeric password that also contains special characters (-,!,#, etc.) and some random upper- and lower-case characters and isn't based on ANY words found in a dictionary.

Don't forget to change your root pass regularly! (Once a month is probably good, or more often if you think you need to do so.)

If any of you have done some research on the subject of Linux security, you're probably aware that "experts" reccomend that when it comes to SSH security you:

• Disable root SSH login altogether
• Change the IP address that SSH is bound to (answers on)
• Change the port SSH is bound to
• Make sure SSH only uses v2 of the SSH protocol (more secure than v1)
• Create a user, add them to the wheel group and have that user SU to root

This will certainly make your server safer. However, there are a few drawbacks to all that, which I'll get into later, as well as another method of securing SSH access that is less problematic and even safer than SU to root.

Most of the changes listed above can be accomplished just by editing a single file. To start, just log into your server via SSH as root and type the following:
Welcome to the SSHD (SSH Daemon) config file!

In case you don't know this, any line that begins with a "#" is COMMENTED (which means it is ignored, it's typically used for comments, hense the name).

You should see a block that looks something like this near the top of the filw
This is most of what we need to change to make the magic happen.
Uncomment the first line #Port 22 (remove the #). Now change this to any unused port, try to stay away from obvious choices like 222, 2222, 1234, etc. Also, if you are running APF (and you SHOULD BE), you will also need to edit the conf.apf file later to add whatever port you just chose to the ALLOWED ports (ingress/egress) and restart APF later. Don't forget or you will lock yourself out of SSH!

Now uncomment the second line. All you need to do here is remove the ",1" at the end of the line, so it looks like:
Now for the third line. Uncomment it. Change 0.0.0.0 to any IP address that is assigned to your server that IS NOT CURRENTLY BEING USED for any other purpose (for maximum security).

Scroll down until you see the following lines:
Uncomment the second line, and change "yes" to "no"
Also uncomment the next line (StrictModes).

Scroll down a little further for one last change:
Uncomment the second line.

Now save the file. To do that, press CTRL-X, Y, ENTER.

Before we restart anything, we need to add a user to be in the wheel group (this will be the account that can SU to root later). Type:
change "passwordhere" to the password you want to use for the account, no spaces. Change "newusername" to whatever you want to call this new super user. IT CANNOT BE A USERNAME ALREADY USED BY AN ACCOUNT IN CPANEL. This is for the best security-wise anyway.

Don't forget this password and make it a SECURE one!

If all has gone well, you can now restart SSH and test it out. PLEASE MAKE DOUBLY SURE YOU DIDN'T MAKE ANY MISTAKES BEFORE RESTARTING SSHD Also, make sure to edit conf.apf if you have APF installed to add the new SSH port.

To restart it type:
Now log into SSH using the new, IP ADDRESS, SSH port number and log in as your super user.

Once in, you now have to SU to root, type:
and type in the root password for your server.
You will now have most of the powers that the root user has (with a few exceptions).

When you want to log out, type "exit" 2x.

Congratulations, your server is much safer now.

However, there are a few things to consider:

• SUing to root makes your server much safer, but you aren't out of the woods. A good hacker, if they got your root password could STILL get into your server directly as root. All they need to do is log into WHM as root, change the root password, create an account, add that user to the wheel group, SU to root, modify sshd_config to allow root logins and relogin as root with the new root password. They then remove your SU account and you're locked out and your server is now "0nw3d" lucky you.
• Changing the IP address is good (especially if it is not used for anything else on your server). However, hackers are wise to this trick. They also know that it is rare that a server has completely randomly chosen IPs. They are usually in a block, so if the main server address is 111.111.111.111, the server probably has all its available IPs in a block, 111.111.111.112, .113, etc. so they will often test all the IPs if the main one doesn't work.
• Changing the port is good, but you might as well not bother if you are going to pick something obvious like 222, 2222, 1234, etc. Hackers test the obvious ports first.
• Sure you are safer, but you have to admit, doing all of this properly would be tough for YOU to remember if you need to get in. Further, if your wheel account isn't working or the password is changed and you can't get into WHM you're sunk. There has to be a better way... and there is. Read on.

There is another way to access root directly WITHOUT permitting someone to log in via the root password.

The secret is using public/private keys. You will create a public/private key pair, upload the public key to your server, and keep the private key on your personal computer (don't put your private key on any computer that you share with anyone else, for safety).

If you don't understand what a public/private key is and how such encryption works, visit pgp.com to learn more about it.

How do we do this SSH key thing?

Let's back up to the point where we were first editing the sshd_config file earlier.
Go ahead and change the IP address and port if you want to.

Scroll down until you see the following lines:
Uncomment the second line and change "yes" to "without-password"
Edit the rest of the file as mentioned the first time.
Save the changes.
DO NOT RESTART SSHD, we still have work to do.

If you are running Windows, you probably use Putty to access SSH on your server. As it happens, Putty comes with a key generator you can use. If you don't use Putty and your SSH client can't create keys, then you can use PGP (free or paid version) to create a key pair, but you will have to edit it so it is a single line (rather than block) and contains the appropriate header info. If you use a Mac with Mac OS X, you've already got a key generator installed on your computer.

Note: For security I recommend that if you already use keys for other purposes (sending/receiving mail, etc.) that you still create a NEW key pair just for SSH with a completely different password.

Generating a Key Pair Under WINDOWS Using Putty:

• Look in the directory where Putty is installed, you should see a program called PuttyGen.exe If you don't see it, download a copy here: http://www.chiark.greenend.org.uk/~s.../download.html
• Use PuttyGen to create a public/private key pair. USE THE LARGEST BIT VALUE POSSIBLE (4096) this will create the strongest, most secure key pair. It DOES take a while to generate, but you only need to do it ONE time, so DON'T SKIMP! Trust me on this, go take your Ritalin and go play outside for a while while we still have some nice weather in this hemisphere.
• Make sure the private key password is VERY secure. It is a PAIN to replace. That being said, make sure you don't forget it either... or you will need a tech's help to get back into your server via SSH.
• PuttyGen will allow you to copy your public key to the clipboard now. Do so.
• Switch to your currently running SSH session in Putty. Skip past the Mac/Linux directions below and go to the section on installing your key on your server.

CONTINUED, NEXT POST

Aric

Generating a Key Pair Under MacOS X/Linux Using the Command Line/Shell:

• The directions for Mac OS X and most flavors of Linux are the same.
• Under Mac OS X, we first need to fire up the Terminal. If you've never done so before, you will find it here:
  ~/Applications/Utilities/Terminal
  where "~" is your user folder.
• At this point, the directions are the same for Mac OS X and most versions of Linux.
• Type:
  
  Code:

  ssh-keygen -t dsa -b 4096

  You will be prompted where to save the resulting key file. Accept the default location. Enter your password for the private key. DO NOT LEAVE THE PASSWORD BLANK!!!!!! The key will be created and saved into the location specified.
• Is a RSA or DSA key "better"? Either kind works, but DSA is a slightly newer kind of key that is slightly more secure overall (though it doesn't make a big difference in a key only used for SSH).
• Now we need to copy the public key to the clipboard so we can paste it into the correct location on the server. Naturally, you blessed Mac/Linux folks could just scp the pub key to your server, but for the sake of syncing up with the directions for the Windows users, I won't discuss that here.
• Mac/Linux: Use your favorite Shell text editor (pico, vi, emacs, etc.) to open the public key file and copy it to your clipboard. The file in question is probably stored in a location like:
  /Users/username/.ssh/id_dsa.pub
• Mac: If you don't want to use the command line, you can use standard text editors, like BBEDIT, Text Edit, TexEdit, etc. To do that, go to the Finder and select OPEN FOLDER from the GO menu item (Command-Shift-G) Type the path to the file in the box that opens:
  /Users/username/.ssh/
  Open the id_dsa.pub key file with a text editor of your choice and copy the contents to the clipboard. Don't change this file and if you are asked if you want to save the file DON'T.
  
  We now rejoin our poor easilly hacked Windows cousins...

Installing the Public Key on Your Server:

• NOTE: If you use PGP to create the key, you will need to paste each line together and remove the ---block begins/ends here--- lines. In addition, you have to add ssh-dsa (or ssh-rsa) to the beginning of the line so it looks like the other keys on your server.
• Back in the terminal session for your server...
• Type:
  
  Code:

  pico -w ~/.ssh/authorized_keys

• If for some reason you get an error telling you .ssh doesn't exist, then create it:
  
  Code:

  cd ~
  mkdir .ssh
  cd .ssh
  pico -w authorized_keys

• More than likely, ~/.ssh/authorized_keys will already exist and the file will be displayed in pico. If there are lines already in this file DO NOT REMOVE THEM, just scroll to the end (CTRL-V a few times should do the trick) and press ENTER after the last key so you are on a blank line. Now paste in your public key. This key MUST be all on one single line. Close and save this file as you would normally.
• To be on the safe side, let's give ourselves some wiggle room in case there is a problem with the key. Edit the sshd_config file again. Change the "AllowRootLogin" line to "yes" again and save the changes.
• Restart SSHD:
  
  Code:

  service sshd restart

• For good measure under Windows, quit Putty and restart it.

Testing Your New SSH Key and Finishing Up:

• Try loggging into your server as root. If you did everything correctly, you should now be prompted to enter your KEY password (not root password). Enter your key password and you should now be in as root.
• If it asks for the root password instead of the key password, you've done something wrong. Log in with the root password and review all the steps.
• If it worked, we can now re-edit the sshd_config file to set "AllowRootPassword" to "without-password", save changes and restart SSHD.
• If you had created an SU user earlier, remove it:
  
  Code:

  userdel username

  where "username" is the username of the user in the wheel group.

Benefits to using SSH keys:

• Once you create a key pair, you can safely use the SAME SSH key on every server you have root access to. One password will get you root access on all your servers.
• If your sysadmin buddy changes the root password for some reason, you can STILL LOG IN via SSH and use passwd to change the root pass to something secure that you can remember.
• Very secure: A hacker would need your private key and password on their computer to log in as root. Anyone trying to use a password will fail just as if you had turned off root access, but without the messy SU to root.

If you haven't already installed APF/AD/BFD on your server, or rootkithunter, or updated logwatch, you should do so now.

Also, don't give SSH to ANYONE unless you absolutely HAVE to, and if you MUST do so, make sure it is a jailshell.

[EDIT:] I knew I forgot something else I wanted to add... A discussion of how you can be notified via e-mail whenever someone successfully logs into your server as root. This can be handy since most of you probably only have yourselves or perhaps 1-2 others typically logging into your server(s). This can give you a heads-up if you see a root login you don't expect to check your server.

To do that, log in as root to your server using your new SSH key and then do the following from the /root directory (which should be where you start):
Scroll to the end of the file then add the following:
Replace YourServerName with the hostname of your server
Replace you[at]yourdomain.com with your actual email address

Press CTRL-X, Y, ENTER/RETURN to save the changes.

Now go ahead and log out and back in. Shortly thereafter you should get a mail with the hostname, date, time and who it was that tried to log in (typically this will be the reverse DNS record of an IP address or the IP address itself).

This isn't meant to be a complete list of every security precaution you could/should take, but it is an important first step.

Regards,

Aric

Ehaanaes

Thank you Aric! Will get use for this guide as i get my first surpass dedicated setup. (Ordering today.)

__________________
Owner of Minerva and Server :: Beatiful P4's @ Surpass
http://www.case-spider.com
Winner of the Surpassies 2004 - Most Spirit. :bravo:
Google = Friend!

matsbs

I would reccommend all users to read the following post as well :

http://www.webhostingtalk.com/showth...l&pagenumber=1

Gives a really basic intro to cPanel/WHM security that SHOULD be in place on all dedicated servers.

__________________
Server : Dedicated

:surpass:

Aric

Welcome to the DS club.

Ehaanaes

Thanks. And yes, read the one matsbs gave you too. Good tips there.

__________________
Owner of Minerva and Server :: Beatiful P4's @ Surpass
http://www.case-spider.com
Winner of the Surpassies 2004 - Most Spirit. :bravo:
Google = Friend!

Aric

The basics are OK but I don't recommend you follow the directions...

The kernel's we install are more secure than your run-of-the-mill kernel (which that post would have you install). Plus the directions for APF, etc. are out of date.

Ehaanaes

Hmm. Planning a guide on APF and BFD for your servers then Aric?
Will give you a beer next time i meet you then.¨

Edit: Just noticed your already created guide on that.
Owe you a beer now.

__________________
Owner of Minerva and Server :: Beatiful P4's @ Surpass
http://www.case-spider.com
Winner of the Surpassies 2004 - Most Spirit. :bravo:
Google = Friend!

andy - ns

I did what you said, up to the part with logging in with the new IP and port, when i try using the new user name, my ssh just closes... now i cant get in, i double checked before i restarted, it doesnt say an error, it just closes

!!! i over looked the add -withoutpassword part !! oh crap...

__________________
Negative-Shock.net