SSH Security

There are many things one can do to help keep your ssh access secure on a shared hosting enviroment.  Grab your client (putty links can be found on the software page), log in, and lets go!

  1. The first one, don’t allow it!  Pretty simple huh?  In a shared hosting environment, there are very few reasons why you should allow a user to have ssh.  If you do, make sure you inspect the script(s) they plan on running, and keep an eye on the logs.
  2. Of course, you as a system admin need ssh access. Move your ssh to a none standard port.  SSH by default runs on port 22.   Most scanners only scan this port, and then try to log in.  However, keep in mind, that if you are trying to access ssh from your work, you may not be able to get in if you move this to a non-standard port.  To change this port, use this in the config file – ‘Port xxxx’.
  3. Disable direct root log in.  This is a must, no matter if you have already done the first two steps.  Create a user and group for you.  Make sure they have a valid shell for logging in.  Make sure that you log into an ssh session as root.  Using your favorite editor, go ahead and open up the sshd config file.  On a CentOS box, that is found at ‘/etc/ssh/sshd_config‘.  Now, first thing you need to do, is allow the newly created user access to log into ssh.  Add this to the bottom of your file AllowUsers you. The ‘you’ should be replaced my the user your just created for yourself.  Now, the next change in that file PermitRootLogin no.  This will not allow the user ‘root’ to log directly into ssh, which is good.  With your new user, you will login, then su (switch user), to root.  Now, save your edits, then, restart sshd – ‘service sshd restart‘.  DO NOT CLOSE OUT YOUR CURRENT SSH SESSION!  If you do, and the edits do not work, you could effectively lock yourself out of your own box! Open a new session (I assume your using putty).  Now, try to log into your server again as root.  Hopefully, you will not be able to.  Thats good.  Try logging in as the user you created.  If you can log in, then your golden!  If not, go back a retrace your steps using the already logged in root account.
  4. Use keys, instead of passwords.  You can generate matching keys, so that even if a user guesses your password, and you have turned on key authentication only, they will still not be able to login.
  5. Don’t use easy passwords!  Make sure your passwords are not found in the dictionary.  It may be a pain in the ass to remember your password once you create it, but, when you use it often enough, you will eventually remember it.  A great site for generating passwords can be found here – http://www.pctools.com/guides/password