Hello Everyone!
Here is a Tutorial on how to secure SSH on your Linux box (Or server!)
SSH stands for Secure Shell (also know as OpenSSH) it is used as a replacement for telnet and allows you to remotely connect to your Linux server. SSH should be used instead of telnet due to the fact that telnet is insecure sending your user name and password in plain text along with no encryption. SSH fixes both of those problems useing encryption.
Now even though SSH is much more secure then telnet but if not setup properly then you might as well be using telnet! I will try my best to walk you through this. This may seem redundant but I cannot stress using a good password as that's the first step to not only securing your box but SSH as well since we will be using it here!
It is also recommended to not use the root "admin" account you can create a account with elevated privileges if needed or just use the "su" command if you need to (will explain how to securely set that up...) Since this is my first tutorial here I might me repeating myself in the future but its better that I repeat my self then for you to miss out on something important! I will be writing more tutorials if this is well received.
In this tutorial we are going to assume that the client is a windows based machine I might include the commands for Linux as well for the client information if I get a chance.
Whats needed :
(1) Computer running Linux (server) - Tutorial is using the latest CentOs x64 as the server (CentOs is the free version of RedHat) and is a great Os for servers and power users. You can use any other distro I just cannot guarantee that everything will be exactly the same .... for the most part...
(2) Computer running Windows/Linux - I will assume you will be using a Windows client here WINXP - WIN7. You will need a SSH client for windows the best (and its free!) in my eyes is PuTTY you will want to download the whole package from here Complete PuTTy Package or if you prefer you can just go to the official download page here (or download from my attachments) If your using a Linux client you will of course not need PuTTY as SSH is built in.
(x) If your using Cpanel/WHM / Server control panel then some of the items listed here you can do from the control panel we will not be covering that here we are going to go on the basis that you are not running a control panel for these purposes.
First I would recommend you create a user if you already have not I would not recommend using the root account! You can create a account just for SSH and or just your user.
(a) I'm assuming that your Linux box/server is up and running. Extract the the PuTTY.zip on your Windows box I would extract it to its own folder somewhere easy to get to (PuTTY does not install it only runs when executed I recommend making a link on the desktop or taskbar so that you can use it easily)
Once PuTTY is open you will see the general settings window if you look on the left side those columns are the sections you can go to. You currently are on "session" (One thing with putty is you will notice that if you change a config setting from anything on the left hand side "like lets say the auth section" do not hit open or cancel when your done you need to go back to "session" and save your settings there.
You will see the host/ip box go ahead and enter your servers ip there and for now we will be leaving the default port set to 22 :
IP :192.168.1.100 Port : 22 <--- Your Linux servers IP
Before hitting open at the bottom we will save this configuration for now go ahead and enter a name for this connection in the saved sessions box and hit Save.
We are now ready to connect to your server if you have done everything right it should connect to your server. (If you get any firewall warnings allow the connection)
(b) If everything went right you should have a shell open to your server asking for your username we want to use the root login for now so go ahead and enter "root" and press enter you will then need to enter your root password. Once that is done you should be at the bash shell command prompt now (Most distros use the bash shell as the default shell for all intended purposes we are using CentOS/RedHat if your using a different distro things can be different!)
The first thing we want to do is create a user that will have permissions to use the su command (Super User) its up to you if you want to create this user as just your shh user. (You can add more groups later on if you want but for now we will be using the default groups) Go ahead and type :
You will then be prompted to enter a password twice set whatever password you want for your newuser (if the password you enter sucks it might complain but you can ignore it if you wish you will be able to still use the password) Once you get the message that all the password tokens have been updated your new user is ready to use. We will now close out the window and go back to PuTTY. Just reconnect to your server but this time use your new user that you added. You should now be logged on under that user.
(c) Now we will be editing some files if you never have used the built in editors in Linux you will defiantly want to use
which should be installed. (You can test this by trying
if you get a blank box with highlighted controls on the bottom (^G ^X ..ect) then your in the nano text editor. Otherwise you will get command not found which is rare but if so you have two choices.
1. You can run the text editor vi which is beyond the scope of this tutorial although if you want you can Google and learn from there if you wish. (Sorry!)
2. What I would recommend is to use the yum package installer to install nano which you can do by typing
which will install the nano text editor.
Ok now we should be ready to edit some files lets start off by editing the ssh config file (CentOs/RH use sshd where others may just be ssh). Lets get the file open in our editor.
At your shell prompt enter
Which should look like this :
If you have ever worked with a programing language you should recognize the commented out sections. (All of them are # is what makes it so it like saying ignore me) Lets change the default port that the SSH server runs as people running a port scan and seeing port 22 open gives away the port and opens you up for attack (you can use any port you want as long as its not in use) Also we only want ssh to use the newer secure protocol so we are going to uncomment it as well I will show you bellow. (I left some unneeded text out of the paste but you should get it!)
As you can see we have removed the comments (#) from the front of Port and Protocol. We have entered our desired port along with only allowing Protocol 2. After your done editing it should look like above (with your port). The ListenAddress you can use if you want to have the server listen on a particular IP which if you do have more then one you can use but I will recommend leaving that alone for now) You can now save the file by pressing Ctrl + O which will save the file. Then Ctrl + X to exit the editor.
You may have noticed while editing the sshd_config that there was alot more to the file then what was seen here. Well don't worry we will be coming back to that soon enough...
We need to figure out if you want to still allow the root account to login through SSH. We are going with the account that we setup in the begging of this tutorial so lets disable SSH login from root. (You can decide not change this if you want I also will write up how to install and use sudo which will allow you to use the su without the root password... at a later time)
So lets go back to our sshd_config using nano once again. Scroll down until you find this section :
And lets uncomment that and change that to no :
Save the file Ctrl + O and exit Ctrl +X And now we need to edit
So that we can give the wheel group su permissions and deny it for others not in the wheel group. (You can add or edit this and other groups for these permissions and others as well but lets focus on this for now) Bellow is what you should see in the editor.
We want to remove the commented line from here :
Which then should look like this Bellow
We can then save the file Ctrl + O and exit Ctrl + X
Well its late this will end Part one of this tutorial I will finish up the rest tomorrow. Remember this is not completed we have a few more steps to secure your server!
Hope this was helpful to someone !
If you have any questions feel free to ask (or if you see any mistakes!)
Part II tomorrow
Seems something is wrong with the file attachments .. You will have to download PuTTY from the links above....
Good Luck!
Nycro
Nycro
Here is a Tutorial on how to secure SSH on your Linux box (Or server!)
SSH stands for Secure Shell (also know as OpenSSH) it is used as a replacement for telnet and allows you to remotely connect to your Linux server. SSH should be used instead of telnet due to the fact that telnet is insecure sending your user name and password in plain text along with no encryption. SSH fixes both of those problems useing encryption.
Now even though SSH is much more secure then telnet but if not setup properly then you might as well be using telnet! I will try my best to walk you through this. This may seem redundant but I cannot stress using a good password as that's the first step to not only securing your box but SSH as well since we will be using it here!
It is also recommended to not use the root "admin" account you can create a account with elevated privileges if needed or just use the "su" command if you need to (will explain how to securely set that up...) Since this is my first tutorial here I might me repeating myself in the future but its better that I repeat my self then for you to miss out on something important! I will be writing more tutorials if this is well received.
In this tutorial we are going to assume that the client is a windows based machine I might include the commands for Linux as well for the client information if I get a chance.
Whats needed :
(1) Computer running Linux (server) - Tutorial is using the latest CentOs x64 as the server (CentOs is the free version of RedHat) and is a great Os for servers and power users. You can use any other distro I just cannot guarantee that everything will be exactly the same .... for the most part...
(2) Computer running Windows/Linux - I will assume you will be using a Windows client here WINXP - WIN7. You will need a SSH client for windows the best (and its free!) in my eyes is PuTTY you will want to download the whole package from here Complete PuTTy Package or if you prefer you can just go to the official download page here (or download from my attachments) If your using a Linux client you will of course not need PuTTY as SSH is built in.
(x) If your using Cpanel/WHM / Server control panel then some of the items listed here you can do from the control panel we will not be covering that here we are going to go on the basis that you are not running a control panel for these purposes.
First I would recommend you create a user if you already have not I would not recommend using the root account! You can create a account just for SSH and or just your user.
(a) I'm assuming that your Linux box/server is up and running. Extract the the PuTTY.zip on your Windows box I would extract it to its own folder somewhere easy to get to (PuTTY does not install it only runs when executed I recommend making a link on the desktop or taskbar so that you can use it easily)
Once PuTTY is open you will see the general settings window if you look on the left side those columns are the sections you can go to. You currently are on "session" (One thing with putty is you will notice that if you change a config setting from anything on the left hand side "like lets say the auth section" do not hit open or cancel when your done you need to go back to "session" and save your settings there.
You will see the host/ip box go ahead and enter your servers ip there and for now we will be leaving the default port set to 22 :
IP :192.168.1.100 Port : 22 <--- Your Linux servers IP
Before hitting open at the bottom we will save this configuration for now go ahead and enter a name for this connection in the saved sessions box and hit Save.
We are now ready to connect to your server if you have done everything right it should connect to your server. (If you get any firewall warnings allow the connection)
(b) If everything went right you should have a shell open to your server asking for your username we want to use the root login for now so go ahead and enter "root" and press enter you will then need to enter your root password. Once that is done you should be at the bash shell command prompt now (Most distros use the bash shell as the default shell for all intended purposes we are using CentOS/RedHat if your using a different distro things can be different!)
The first thing we want to do is create a user that will have permissions to use the su command (Super User) its up to you if you want to create this user as just your shh user. (You can add more groups later on if you want but for now we will be using the default groups) Go ahead and type :
Code:
useradd -m -G wheel -s /bin/bash username/code] (Where username is what you want to call the new user) This will create a user "username" it also will create the home directory "-m" , add the user to the group "wheel" and set the default shell to /bin/bash "-s" (If you understand that you are creating a user that will be able to use the "su" command as stated earlier by putting the new user in the group "wheel" (Default group on CentOS/RedHat) So make sure you treat this account as if it were a root user!)
Next we need to set the password for the new user go ahead and type
[code]passwd username(c) Now we will be editing some files if you never have used the built in editors in Linux you will defiantly want to use
Code:
nano
Code:
nano /home/test.txt1. You can run the text editor vi which is beyond the scope of this tutorial although if you want you can Google and learn from there if you wish. (Sorry!)
2. What I would recommend is to use the yum package installer to install nano which you can do by typing
Code:
yum install nanoOk now we should be ready to edit some files lets start off by editing the ssh config file (CentOs/RH use sshd where others may just be ssh). Lets get the file open in our editor.
At your shell prompt enter
Code:
nano /etc/ssh/sshd_config
Code:
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::If you have ever worked with a programing language you should recognize the commented out sections. (All of them are # is what makes it so it like saying ignore me) Lets change the default port that the SSH server runs as people running a port scan and seeing port 22 open gives away the port and opens you up for attack (you can use any port you want as long as its not in use) Also we only want ssh to use the newer secure protocol so we are going to uncomment it as well I will show you bellow. (I left some unneeded text out of the paste but you should get it!)
Code:
Port 1234
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::As you can see we have removed the comments (#) from the front of Port and Protocol. We have entered our desired port along with only allowing Protocol 2. After your done editing it should look like above (with your port). The ListenAddress you can use if you want to have the server listen on a particular IP which if you do have more then one you can use but I will recommend leaving that alone for now) You can now save the file by pressing Ctrl + O which will save the file. Then Ctrl + X to exit the editor.
You may have noticed while editing the sshd_config that there was alot more to the file then what was seen here. Well don't worry we will be coming back to that soon enough...
We need to figure out if you want to still allow the root account to login through SSH. We are going with the account that we setup in the begging of this tutorial so lets disable SSH login from root. (You can decide not change this if you want I also will write up how to install and use sudo which will allow you to use the su without the root password... at a later time)
So lets go back to our sshd_config using nano once again. Scroll down until you find this section :
Code:
#PermitRootLogin yesAnd lets uncomment that and change that to no :
Code:
PermitRootLogin noSave the file Ctrl + O and exit Ctrl +X And now we need to edit
Code:
nano /etc/pam.d/su
Code:
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.soWe want to remove the commented line from here :
Code:
#auth required pam_wheel.so use_uid
Code:
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-authWe can then save the file Ctrl + O and exit Ctrl + X
Well its late this will end Part one of this tutorial I will finish up the rest tomorrow. Remember this is not completed we have a few more steps to secure your server!
Hope this was helpful to someone !
If you have any questions feel free to ask (or if you see any mistakes!)
Part II tomorrow
Seems something is wrong with the file attachments .. You will have to download PuTTY from the links above....
Good Luck!
Nycro
Nycro
Best browser one could use out there if I can say so myself.
.
