IMPORTANT: The guidelines below are for those who know how to set up SSH login and two-factor authentication. If you don’t know how to do it, check the documentation on the subject first. Otherwise, you risk not securing SSH access to the server but hurting yourself.
There is another way to get an easily scalable server that is easy to manage, highly secure and available: rent cloud servers from ArkHost.
Changing the SSH port
This is a basic procedure that is necessary to protect your infrastructure. SSH access is by default on port 22. Consequently, any intruder wishing to gain access to your servers will start their hacking attempt on this port.
Change the port number used for SSH access, and you will make life very difficult for anyone trying to break into your system. A simple but effective action. Attackers will now have to somehow find out the number of the working SSH port before they can attempt to gain access to your system.
The port number is changed in the /etc/ssh/sshd_config file. Specify a different port there and save the file. The security level has been increased.
Disabling password login
Each user has a password by default to connect via SSH. It is easy to log in using the login/password pair and knowing the correct IP address. And it can be done by anyone. If the password is unknown, no problem. SSH does not impose a limit on the number of authentication attempts. Entering an incorrect password three times will deny the user a connection. But no one will be prevented from continuing to try to log in.
Standard SSH settings do not provide an option to fix this vulnerability. The problem can only be solved by installing third-party software (such as fail2ban).
If you disable password login, users will be forced to use authorization keys on your server to log in. An authorization key is a specially generated electronic key that consists of a public and a private part. The public or public part of the key is stored on the server. The closed (private) – on the computer of the user.
With this approach, only users with a valid SSH key authorized on the server can log in to the system. Attempting to log in with a username and password will fail. It is essential to create authorization keys and configure login using these keys before disabling password login. Otherwise, you won’t be able to log in to the server via SSH.
Setting the password to expire.
SSH key logon is what you might call the most secure way to use the server. But it is not always possible to implement this feature. So, you may want to keep the password as is but set it to expire at regular intervals. As soon as the deadline arrives, the system asks the user to change the password.
If passwords are changed regularly, stealing them becomes ineffective. Attackers risk getting useless information in a day or two to a week. They have less time to prepare for an attack, which increases your chances of successfully protecting your data. Of course, all passwords must be complex, so they cannot be guessed.
Disabling root access
The most crucial person in Linux is the root user. He has almost unlimited power and has access to EVERYTHING. In modern distributions, restrictions are beginning to appear, but an experienced attacker with even the remaining power may have enough to hijack server control or circumvent the restrictions. If a hacker gains access to your server via SSH with root permissions, you are in big trouble.
Linux allows you to disable root access through SSH, and you should take advantage of it. This will force an intruder to seek access to your system through a regular account. And they (we believe) have severely restricted permissions and only access the data they need for their work.
Making changes in /etc/ssh/sshd_config can reduce the damage from losing an entire server to losing a few folders. The choice, as they say, is yours. But before making any changes, make sure you have at least one user who is allowed to login via SSH, is actually able to do so and can perform administrative tasks via sudo. Or at least can switch to a root user via su. Otherwise, you may not be able to SSH into the server or login but not be able to administer it.
It should be noted that not all versions of Linux support such changes. The popular CentOS, for example, has no users other than root by default.
Two-factor authentication for SSH
Two-factor authentication is becoming commonplace on many sites as it provides a higher level of security for your account. To get into your account, an intruder doesn’t need to know your password; they also need access to a two-factor code-generating application on your phone.
You can set up a two-factor authentication system on the server as well. And then anyone who tries to log in via SSH will have to enter their password (or have the SSH key on the server) and enter the code generated by the mobile app.
This is an excellent way to secure SSH access to your server. Check the documentation on setting up authentication in advance to act correctly if it stops working.
Server security can and should be layered. Even the best security can be compromised if you rely on it alone. A comprehensive approach to the issue increases the level of protection.
Tips on securing SSH access are not only useful for cloud infrastructure users. It is also helpful for companies running their own equipment. However, in many ways, the cloud is safer than on-premises infrastructure.
Get your own Cloud Server at ArkHost. Your services will be deployed automatically and live in seconds.