Securing a vps is one of the priority tasks to perform as soon as it is obtained. We will first see how to secure your SSH server.
- VDS-GAME-1 from FTH
- OS: Debian 9.0
gitforwindows: https://github.com/git-for-windows/git/releases/latest (windows)
or your terminal emulator on Linux.
Change ssh port
The default ssh port (22) is the first target of potential attacks. It must therefore be changed to a less known port, preferably greater than 1024:
we can have the list of ports used with netstat:
# apt update && apt install netstat
# netstat -ntap
modify the port by replacing the 22 of the line:
the file by the desired port number
# nano /etc/ssh/sshd_config
Create a user
For our various operations on the server, it is advisable to rarely log in as root. So let’s create a standard user that would be used.
# adduser username
It will be necessary to install sudo:
# apt update && apt intall sudo
Put it in the sudo group
# addchgrp username sudo
Change the authentication method
It is recommended to use a different authentication method than the password: the one with an RSA key.
On your machine we generate our RSA key with:
$ ssh-keygen -t rsa -b 4096 -C "a comment to add to the key"
-t rsa: the type of key to generate
b 4096: the number of bits of our key
-C: a comment added in the RSA key generated
or with putty in GUI. Do not forget your passphrase if you have made it.
$ mkdir -p ~/.ssh $ chmod 700 ~/.ssh $ touch ~/ssh/authorized_keys $ chmod 600 ~/.ssh/authorized_keys $ nano ~/.ssh/authorized_keys
The file will be created in ~/home/username/.ssh/ if you are on linux and C:/Users/username/.ssh if you are on windows.
Then you have to copy the contents of the .pub file to the file ~/.ssh/authorized_keys and close nano.
$ nano /etc/ssh/sshd_config
Look for and uncomment lines
We change the PasswordAuthentication parameter that will permanently disable password authentication.
Block root SSH connections
Restrict SSH users
There is also the possibility to manage a whitelist or a blacklist of users who will connect with
AllowUsers validuser1 validuser2
DenyUsers baduser1 baduser2
Other configurations to do:
Limit the number of authenticated login:
Limiting the maximum number of unauthenticated simultaneous connections to your SSH server can protect you from brute force attacks. To set this value, enter the number of connections you allow:
Disable blank passwords
Prohibit connection to users without password with:
View the latest logs at login
And we restart the SSH service with:
# service ssh restart
# systemctl restart sshd
And do not forget your passphrase or the SSH port has changed.
Here we go! You have just protected your SSH on your Debian VPS 9