Get Paid to Participate - up to $1 per post!     Twitter     Facebook     Google+
Hosting Discussion
 

forgot password?



Reply


Old
  Post #1 (permalink)   05-02-2011, 06:17 AM
HD Addict
 
NobleCloud's Avatar
 
Join Date: Feb 2011
Location: Exeter, UK
Posts: 115
Send a message via MSN to NobleCloud

Status: NobleCloud is offline
Some of you probably already know this, but in case you don't, I discovered this yesterday.

SSH (or Secure Shell) is basically a way of controlling your entire server from the command line. Root users can install and uninstall software, change configuration settings, and even remote reboot the server.

However, by default, all it requires to access it is a username and password that has Shell Access (normally the root user). If someone discovers, or sniffs out, those login credentials then they have instant access to your server. This is not what you really want is it?!

So, if you have WHM on your server (this is just an example...you can do it without WHM), you can login as the root user and set your SSH security to require an SSH key file in order to work. You'll still have to enter your username and password but you will also have to upload your key file into the SSH remote console in order to login otherwise even the root user won't be able to log in.

This will increase your security and reduce your chances of someone hacking your server over SSH. This is a basic example of protection.

Of course, there are loads of other ways you can make your server more secure. The best one, perhaps, being a firewall. ConfigServer is a good one and it's free. What's more if you have cPanel or WHM it has a special UI that you can control the entire firewall directly from WHM via the plugin it installs. This makes life a lot easier as you would otherwise have to set it up from the command line.
 
 


Old
  Post #2 (permalink)   05-02-2011, 10:32 AM
HD Newbie
 
Join Date: Apr 2011
Location: Florida
Posts: 46
Send a message via ICQ to pinellashosting Send a message via AIM to pinellashosting Send a message via MSN to pinellashosting Send a message via Yahoo to pinellashosting

Status: pinellashosting is offline
Turn off root login. Limit access to only users that need it. Use sudo.

vi /etc/ssh/sshd_config

uncomment

PermitRootLogin

then set it to no

PermitRootLogin No

Make sure you can login and switch to root before you do this or you will not be able to access your server.

After making changes to /etc/ssh/sshd_config restart SSH
in redhat based Operating Systems do
service sshd restart

to enable sudo on redhat base oses do visudo and make the needed changes.

To limit by user in /etc/ssh/sshd_config add this to the end

AllowUsers username

Restart SSH when changes are made.

Good luck!
__________________
Hivelocity
Sparknode
 
 


Old
  Post #3 (permalink)   05-02-2011, 11:27 AM
HD Addict
 
NobleCloud's Avatar
 
Join Date: Feb 2011
Location: Exeter, UK
Posts: 115
Send a message via MSN to NobleCloud

Status: NobleCloud is offline
I might try that. Thanks.
Anything to make my server more secure.
 
 
 


Old
  Post #4 (permalink)   05-02-2011, 11:48 AM
HD Wizard
 
Join Date: Mar 2005
Location: Atlanta, GA
Posts: 2,264

Status: handsonhosting is offline
Definitely kill the root access and password authentication on the server.

The keys are a great tool step in the right direction, but kill the root. make a user that you have to log in with and then SUDO to root - much more secure.

For us, we use both the keys and the user method. We also set designated IPs so that if the login doesn't come from "X" IP number, the login will be rejected. Of course, if you go that route, you better have more than 1 IP that can access (just incase your IP gets blocked or changed).

Good step in the right direction with the keys, just take the next step and you'll be more secure.
__________________
Emerson Nogueira
http://www.HandsOnWebHosting.com
cPanel Web Hosting, Domain Registration, Managed VPS Servers
 
 
 


Old
  Post #5 (permalink)   05-02-2011, 01:13 PM
HD Addict
 
NobleCloud's Avatar
 
Join Date: Feb 2011
Location: Exeter, UK
Posts: 115
Send a message via MSN to NobleCloud

Status: NobleCloud is offline
Quote:
Originally Posted by handsonhosting View Post
Definitely kill the root access and password authentication on the server.

The keys are a great tool step in the right direction, but kill the root. make a user that you have to log in with and then SUDO to root - much more secure.

For us, we use both the keys and the user method. We also set designated IPs so that if the login doesn't come from "X" IP number, the login will be rejected. Of course, if you go that route, you better have more than 1 IP that can access (just incase your IP gets blocked or changed).

Good step in the right direction with the keys, just take the next step and you'll be more secure.
mhmmm...designated IPs. How would I set that up? Sounds good.
 
 
 


Old
  Post #6 (permalink)   05-02-2011, 01:20 PM
HD Newbie
 
Join Date: Apr 2011
Location: Florida
Posts: 46
Send a message via ICQ to pinellashosting Send a message via AIM to pinellashosting Send a message via MSN to pinellashosting Send a message via Yahoo to pinellashosting

Status: pinellashosting is offline
Use APF or Iptables to restrict by IP Address. For Redhat based OSes use APF and BFD.
__________________
Hivelocity
Sparknode
 
 
 


Old
  Post #7 (permalink)   05-02-2011, 11:59 PM
HD Wizard
 
Join Date: Mar 2005
Location: Atlanta, GA
Posts: 2,264

Status: handsonhosting is offline
You can set it up in CSF using the firewall. Basically you'll use the iptables function to restrict access to port 22 to only allow from a certain IP number. Of course you did change from the default port 22 also right? Don't need hackers attempting to hijack the port.

You can also do something like this:

In /etc/hosts.allow add the line:
sshd: xxx.xxx.xxx.xxx

In /etc/hosts.deny add the line:
sshd: ALL

That'll block anyone if they're not from the defined IP in the hosts.allow list.
__________________
Emerson Nogueira
http://www.HandsOnWebHosting.com
cPanel Web Hosting, Domain Registration, Managed VPS Servers
 
 


Old
  Post #8 (permalink)   05-03-2011, 01:07 AM
HD Master
 
Join Date: Jul 2010
Location: Universe
Posts: 309

Status: kunnusingh is offline
Dangerous If you've no any physical access to server
__________________
Windows VPS
Web Hosting Yearly & WebHostingLoud.com Hosting Forum
 
 
 


Old
  Post #9 (permalink)   05-03-2011, 01:50 AM
HD Wizard
 
Join Date: Mar 2005
Location: Atlanta, GA
Posts: 2,264

Status: handsonhosting is offline
Refer to post #4. Strongly recommend multiple IPs allowed to access the server - or at the very least, KVM access so updates could be made if needed.
__________________
Emerson Nogueira
http://www.HandsOnWebHosting.com
cPanel Web Hosting, Domain Registration, Managed VPS Servers
 
 
 


Old
  Post #10 (permalink)   05-03-2011, 02:42 AM
HD Addict
 
NobleCloud's Avatar
 
Join Date: Feb 2011
Location: Exeter, UK
Posts: 115
Send a message via MSN to NobleCloud

Status: NobleCloud is offline
Thanks guys.
 
 
 


Old
  Post #11 (permalink)   05-03-2011, 05:20 AM
Account Disabled
 
Join Date: Apr 2010
Posts: 155

Status: Christiano is offline
You can also always run the SSH service on non standard SSH port, for making SSH secure.
 
 
 


Old
  Post #12 (permalink)   05-03-2011, 08:08 AM
HD Wizard
 
Join Date: Mar 2005
Location: Atlanta, GA
Posts: 2,264

Status: handsonhosting is offline
A non standard port is only a mask and should not be considered SECURITY. A port sniffer will easily be able to find which port the SSH is running on (or someone posting about sFTP information). Granted, it's better than leaving the port open for port 22, but it shouldn't be considered "secure"
__________________
Emerson Nogueira
http://www.HandsOnWebHosting.com
cPanel Web Hosting, Domain Registration, Managed VPS Servers
 
 
 


Old
  Post #13 (permalink)   05-11-2011, 07:31 PM
HD Addict
 
Join Date: Feb 2011
Posts: 223

Status: ServerSea is offline
CSF (Config server firewall) is the best way, I guess you do not need after its installation and setting rules.

Also, use strong passwords. Use small, capital letters, numbers and symbols in your password.
__________________
ServerSea – Low Cost High Quality Web Hosting & Designing
Domain For Life– 99.9% Up time – Super Fast Servers – Backups – True 24/7 Support
Money Back Guarantee – Special Discounts – Unlimited Downloads
http://www.serversea.com
 
 
 


Old
  Post #14 (permalink)   05-18-2011, 10:29 AM
HD Newbie
 
Join Date: Apr 2011
Location: London, UK
Posts: 42

Status: SimplyShared is offline
Quote:
Originally Posted by handsonhosting View Post
Definitely kill the root access and password authentication on the server.

The keys are a great tool step in the right direction, but kill the root. make a user that you have to log in with and then SUDO to root - much more secure.

For us, we use both the keys and the user method. We also set designated IPs so that if the login doesn't come from "X" IP number, the login will be rejected. Of course, if you go that route, you better have more than 1 IP that can access (just incase your IP gets blocked or changed).

Good step in the right direction with the keys, just take the next step and you'll be more secure.
More or less what I do, except I'm not fond of allowing only certain IP's since I'm often on the move + at home I have a dynamic IP, so obviously that would cause some problems ;p
__________________
SimplyShared.net - Europe based shared hosting solutions
Fast & friendly UK based support, with 99.9% uptime!
 
 
 


Old
  Post #15 (permalink)   05-20-2011, 02:24 AM
HD Amateur
 
Join Date: Feb 2009
Posts: 92

Status: webhost.uk.com is offline
Make sure you dont use the default port 22 , you can change it to any no. say 34545 to connect to your server.
This should also help.
__________________
UK Web Hosting : Best UK Web Hosting
US Web Hosting | Best US Web hosting
UK Dedicated Servers : UK VPS Hosting
Shared, Reseller, VPS, Dedicated hosting specialist
 
 
 
Reply
Previous Thread Next Thread


Thread Tools

New Post New Post   Old Post Old Post
Posting Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Sponsored By: