Secure your vps (SSH)

Securing a vps is one of the priority tasks to perform as soon as it is obtained. We will first see how to secure your SSH server.

Environment

  • VDS-GAME-1 from FTH
  • OS: Debian 9.0

Tools
gitforwindows: https://github.com/git-for-windows/git/releases/latest (windows)

or your terminal emulator on Linux.

Change ssh port
The default ssh port (22) is the first target of potential attacks. It must therefore be changed to a less known port, preferably greater than 1024:

we can have the list of ports used with netstat:

# apt update && apt install netstat

# netstat -ntap

modify the port by replacing the 22 of the line:

Port 22

the file by the desired port number

# nano /etc/ssh/sshd_config

Create a user
For our various operations on the server, it is advisable to rarely log in as root. So let’s create a standard user that would be used.

# adduser username

It will be necessary to install sudo:

# apt update && apt intall sudo

Put it in the sudo group

# addchgrp username sudo

Change the authentication method
It is recommended to use a different authentication method than the password: the one with an RSA key.

On your machine we generate our RSA key with:

$ ssh-keygen -t rsa -b 4096 -C "a comment to add to the key"

-t rsa: the type of key to generate

b 4096: the number of bits of our key

-C: a comment added in the RSA key generated

or with putty in GUI. Do not forget your passphrase if you have made it.

$ mkdir -p ~/.ssh 
$ chmod 700 ~/.ssh
$ touch ~/ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys
$ nano ~/.ssh/authorized_keys

The file will be created in ~/home/username/.ssh/ if you are on linux and C:/Users/username/.ssh if you are on windows.

Then you have to copy the contents of the .pub file to the file ~/.ssh/authorized_keys and close nano.

$ nano /etc/ssh/sshd_config

Look for and uncomment lines

PubKeyAuthentication yes

or

RSAAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

We change the PasswordAuthentication parameter that will permanently disable password authentication.

PasswordAuthentication no

Block root SSH connections

PermitRootLogin no

Restrict SSH users
There is also the possibility to manage a whitelist or a blacklist of users who will connect with

AllowUsers validuser1 validuser2
DenyUsers baduser1 baduser2

Other configurations to do:
Limit the number of authenticated login:

Limiting the maximum number of unauthenticated simultaneous connections to your SSH server can protect you from brute force attacks. To set this value, enter the number of connections you allow:

MaxStartups 2

Disable blank passwords
Prohibit connection to users without password with:

PermitEmptyPasswords no

View the latest logs at login

PrintLastLog yes

And we restart the SSH service with:

# service ssh restart

or

# systemctl restart sshd

And do not forget your passphrase or the SSH port has changed.
Here we go! You have just protected your SSH on your Debian VPS 9