Linux Server Security
This guide is about how to secure Linux servers. For the most part, it should be applicable to all major distributions. (CentOS, RHEL, openSUSE, Debian) This guide assumes that you have chosen your distro and have ssh and root access. If you personal machine is running Windows, I assume you're using PuTTY for SSH, if you are using the OpenSSH client, then follow the Linux steps instead of the Windows ones
1. Normal Accounts
Create an account with a hard to guess username and password, this is a must. This account shouldn't have an entry in any sudoers file or have access to system files, every program that acts as a server should be run in its own account set up like this, this keeps it isolated without much effort
2. RSA Keypair Generation and Setup
a. On your machine, generate an RSA keypair (this will be used in the next step)
Windows: Use PuTTYgen, when you generate the key, take note of the box titled "Public key for pasting into OpenSSH authorized_keys file:", this is the public key, you can always retrieve this key by opening a private key up in PuTTYgen again (remember to save both keys!) Warning: Spoiler! (Click to show)
Linux:
b. On the server, insert the public keypair into $home/.ssh/authorized_keys
if this directory or file doesn't exist, create it
c. Try logging in using your private keypair
Linux: use ssh as normal, just don't specify a password
Windows: If using PuTTY navigate to Connection->SSH->Auth in PuTTY, you should see "Private key file for authentication" near the bottom, select your private key that you generated earlier, then log in, if you specified a passphrase for your key, PuTTY will prompt you for it, otherwise you should be able to log in without a password Warning: Spoiler! (Click to show)
3. sshd Configuration
a. By now, you should have been able to successfully log in using your keypair, DO NOT PROCEED IF YOU HAVEN'T SUCCESSFULLY LOGGED IN USING YOUR KEYPAIR, YOU WILL GET LOCKED OUT OF YOUR SYSTEM
b. Open up the sshd configuration as root (on most distros its /etc/ssh/sshd_config)
or
note: to exit vi, type ':q'
c. Make sure these lines are uncommented (comment character is '#'), add them if they aren't there:
d. Changes these lines so they read:
e. Change the default port of ssh from 22, the line as follows:
Note: Remember to uncomment the line if its commented
f. Reload sshd
4. Configure a service that will ban ips upon repeated failed attempts to connect to your server such as fail2ban and sshblack. Installation guides can be found easily on the internet for these
5. Remove anything insecure login methods such as telnet and rlogin. SSH and SFTP are all you need, your server is only as secure as you make it, a weak link makes all this work for nothing
Dictionary of Used Commands/Programs/Terms:
SSH - SSH (Secure Shell) is a protocol for remotely connecting to a server using an encrypted connection, supports authentication with RSA, DSA, and passwords. RSA and passwords being the most common and secure
sshd - SSH Daemon, most common SSH service out there
su - su allows users to log in as a user logged in already, to log out of an account you've logged in with 'su', just type 'exit'. To issue only one command as that user, 'su -c '
RSA - An asymmetrical encryption algorithm commonly used for authentication
1. Normal Accounts
Create an account with a hard to guess username and password, this is a must. This account shouldn't have an entry in any sudoers file or have access to system files, every program that acts as a server should be run in its own account set up like this, this keeps it isolated without much effort
2. RSA Keypair Generation and Setup
a. On your machine, generate an RSA keypair (this will be used in the next step)
Windows: Use PuTTYgen, when you generate the key, take note of the box titled "Public key for pasting into OpenSSH authorized_keys file:", this is the public key, you can always retrieve this key by opening a private key up in PuTTYgen again (remember to save both keys!) Warning: Spoiler! (Click to show)
Code:
ssh-keygen -b 2048 -N passphrasehere -C commenthere
b. On the server, insert the public keypair into $home/.ssh/authorized_keys
if this directory or file doesn't exist, create it
c. Try logging in using your private keypair
Linux: use ssh as normal, just don't specify a password
Windows: If using PuTTY navigate to Connection->SSH->Auth in PuTTY, you should see "Private key file for authentication" near the bottom, select your private key that you generated earlier, then log in, if you specified a passphrase for your key, PuTTY will prompt you for it, otherwise you should be able to log in without a password Warning: Spoiler! (Click to show)
3. sshd Configuration
a. By now, you should have been able to successfully log in using your keypair, DO NOT PROCEED IF YOU HAVEN'T SUCCESSFULLY LOGGED IN USING YOUR KEYPAIR, YOU WILL GET LOCKED OUT OF YOUR SYSTEM
b. Open up the sshd configuration as root (on most distros its /etc/ssh/sshd_config)
Code:
su -c nano /etc/ssh/sshd_config
Code:
su -c vi /etc/ssh/sshd_config
c. Make sure these lines are uncommented (comment character is '#'), add them if they aren't there:
Code:
PasswordAuthentication yes
PermitRootLogin yes
d. Changes these lines so they read:
Code:
PasswordAuthentication no
PermitRootLogin no
e. Change the default port of ssh from 22, the line as follows:
Code:
Port 22
f. Reload sshd
Code:
service sshd restart
4. Configure a service that will ban ips upon repeated failed attempts to connect to your server such as fail2ban and sshblack. Installation guides can be found easily on the internet for these
5. Remove anything insecure login methods such as telnet and rlogin. SSH and SFTP are all you need, your server is only as secure as you make it, a weak link makes all this work for nothing
Dictionary of Used Commands/Programs/Terms:
SSH - SSH (Secure Shell) is a protocol for remotely connecting to a server using an encrypted connection, supports authentication with RSA, DSA, and passwords. RSA and passwords being the most common and secure
sshd - SSH Daemon, most common SSH service out there
su - su allows users to log in as a user logged in already, to log out of an account you've logged in with 'su', just type 'exit'. To issue only one command as that user, 'su -c '
RSA - An asymmetrical encryption algorithm commonly used for authentication
Ive had huge headaches when clients want fail to ban it allways seams to fail .. (but then again i didnt set it up im just maintining it ...)