Securing a vps is one of the priority tasks to perform as soon as it is obtained. We will first see how to secure your SSH server.
Environment
- VDS-GAME-1 from FTH
- OS: Debian 9.0
Tools
gitforwindows: Release Git for Windows v2.43.0.windows.1 · git-for-windows/git · GitHub (windows)
or your terminal emulator on Linux.
Change ssh port
The default ssh port (22) is the first target of potential attacks. It must therefore be changed to a less known port, preferably greater than 1024:
we can have the list of ports used with netstat:
# apt update && apt install netstat
# netstat -ntap
modify the port by replacing the 22 of the line:
Port 22
the file by the desired port number
# nano /etc/ssh/sshd_config
Create a user
For our various operations on the server, it is advisable to rarely log in as root. So let’s create a standard user that would be used.
# adduser username
It will be necessary to install sudo:
# apt update && apt intall sudo
Put it in the sudo group
# addchgrp username sudo
Change the authentication method
It is recommended to use a different authentication method than the password: the one with an RSA key.
On your machine we generate our RSA key with:
$ ssh-keygen -t rsa -b 4096 -C "a comment to add to the key"
-t rsa: the type of key to generate
b 4096: the number of bits of our key
-C: a comment added in the RSA key generated
or with putty in GUI. Do not forget your passphrase if you have made it.
$ mkdir -p ~/.ssh
$ chmod 700 ~/.ssh
$ touch ~/ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys
$ nano ~/.ssh/authorized_keys
The file will be created in ~/home/username/.ssh/ if you are on linux and C:/Users/username/.ssh if you are on windows.
Then you have to copy the contents of the .pub file to the file ~/.ssh/authorized_keys and close nano.
$ nano /etc/ssh/sshd_config
Look for and uncomment lines
PubKeyAuthentication yes
or
RSAAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
We change the PasswordAuthentication parameter that will permanently disable password authentication.
PasswordAuthentication no
Block root SSH connections
PermitRootLogin no
Restrict SSH users
There is also the possibility to manage a whitelist or a blacklist of users who will connect with
AllowUsers validuser1 validuser2
DenyUsers baduser1 baduser2
Other configurations to do:
Limit the number of authenticated login:
Limiting the maximum number of unauthenticated simultaneous connections to your SSH server can protect you from brute force attacks. To set this value, enter the number of connections you allow:
MaxStartups 2
Disable blank passwords
Prohibit connection to users without password with:
PermitEmptyPasswords no
View the latest logs at login
PrintLastLog yes
And we restart the SSH service with:
# service ssh restart
or
# systemctl restart sshd
And do not forget your passphrase or the SSH port has changed.
Here we go! You have just protected your SSH on your Debian VPS 9