Maintaining a dedicated host can be a daunting task, but in the face of many possible problems there are also many solutions available to keep your dedicated servers secure. Two critical steps are to lock down your dedicated server’s SSH and root access. Keep reading below to find out how to do just that, and keep your dedicated server secured.
1. Disable external root login.
You’ve heard it before, and we’ll say it again, never perform server activities by logging in as the root user directly. Since every server has a root user, this is a common user that is accessed via brute force externally. The best way to secure access is to disable remote root logins completely.
In order to disable root login by remote users, set PermitRootLogin to “no” in the /etc/ssh/sshd_config config file.
2. Restrict SSH Logins By Group
The key to securing SSH is to narrow down exactly who has access to the service. Limiting SSH access by groups is a great way to do this. Adding the following to your sshd_config would allow only those users and groups to access the SSH service:
AllowUsers reliable site johnson
AllowGroups noc
3. Only Allow SSH Access From Certain IP’s
One of the most common ways to secure SSH is to only allow SSH access from certain IP addresses. This is ideal if you use a VPN to connect to your servers, as the IP would stay static. If you connect from a dynamic IP, this would not be a great option for you if you do not use a VPN. The iptables rules would look like this if you were running SSH on port 22:
iptables -A INPUT -j ACCEPT -p tcp –dport 22 -s 10.0.0.20
iptables -A INPUT -j ACCEPT -p tcp –dport 22 -s 10.0.0.25
iptables -A INPUT -j DROP -p tcp –dport 22
4. Setup Brute-Force Prevention
Brute force prevention software automatically blocks access from users that submit bad login credentials multiple times. Fail2ban is a great piece of software that will do this for you.
5. Use SSH Keys instead of Passwords and Define Password Minimums
Passwords are the weakest link when it comes to system security. Bypassing passwords altogether is the safest way to secure SSH access. Instead of passwords, use SSH keys to authenticate users. CentOS has a great guide for using SSH keys instead of passwords, which you can read here. Some system passwords are always required, so defining enhanced password requirements is key. CentOS has a guide for using PAM to update password strength minimums here.
6. Change Default SSH Port
Running SSH on port 22 is an easy way of telling intruders exactly where to enter your server. While it is not exactly difficult to locate the SSH daemon, switching the port is a good way of obscuring points of entry. Changing the SSH port is a common way of securing access. Open the /etc/ssh/sshd_config file and uncomment the port number in order to change it. You’ll need to restart SSHD when you’re done.
Summary of SSH Security
Using SSH on your dedicated server is easy if you follow these tips:
- Disable external root access
- Restrict SSH by groups
- Only allow SSH connections from certain IP’s
- Setup Brute Force Protection
- Use SSH Keys
- Change default SSH port
Need additional help securing your dedicated server? Consider our dedicated server management option.
For additional reading, check our other posts:
SSH, FTP and SFTP | Connecting to your Dedicated Server Securely