ServerPronto HowTo Sales: 1-877-24-PRONTO   Live Chat   
Security Basics
P1
Linux -> Server Security -> Security Basics

<PREVIOUS

NEXT>

Security Basics

Using Strong Passwords

Strong passwords for all accounts on a server are the first line of defense against intrusion. It is critical that not only your root user password uses a strong password but every user who has access to login to your server in any way needs to maintain a strong password. This includes accounts created in control panels like Webmin, cPanel and Plesk. 

A strong password should consists at at least 10 characters but 15-20 would be ideal. The characters should be random and should be mixed. Mixed characters means that the password consists of capital letters A-Z, lower case letters a-z, numbers 0-9, and character like %$*@?<+, etc... Not all applications will accept all characters so the password should be tailored for the application you're logging in to.

Creating a password you can remember is sometimes desired. It is possible to create a strong password with the memory queues you need to remember the password and be able to type the password when needed. One such device is to create a password from a phrase. For example let's start password creation for this example with the phrase "the happy brown dog". After counting the characters we know that we have 16 character, we cannot use spaces so they are not counted. 

First we rewrite the phrase with no blank spaces. This results in "thehappybrowndog". 

Secondly we should capitalize letters in places that we would remember the positioning of, for example we could capitalize the first letter of each word "TheHappyBrownDog".

Thirdly we should replace some letters with numbers and characters. Some common easy to remember replacements are a -> @, e -> 3, h -> 4, i -> !, i -> 1, p -> 9, etc...  You can make up your own replacements as long as you'll remember them. So implementing a replacement technique we could change the password to "Th3H@ppyBr0wnD0g".

Lastly we want to throw some random characters before the password, after the password and if you can remember the combination, you can even put them between words in the password. An example of this would be "Th3H@ppyBr0wnD0g!@#" or "!!!Th3H@ppyBr0wnD0g" or "123Th3H@ppyBr0wnD0g"!@#". As a rule when I add the random characters I like to use 3-5 that are geographically related on the keyboard. When I say "geographically related" I mean that they are adjacent or next to each other in some way.

Using these techniques you can ensure your server will be much more difficult for a brute force hacker to penetrate.

Connecting to SSH as root

We strongly discourage allowing the root user to connect via SSH. It is highly recommended that all users connect via unique accounts and when super user access is required the user can use the sudo command to elevate their permissions. Not only does this technique help prevent configuration mistakes it also eliminates a hackers ability to gain access to the server as the known username root via a brute force attack and forces them to not only guess passwords, but also guess usernames.

To disable SSH access for the root user first create a new user. The common linux command to create a user with SSH access and super user rights would be "useradd -G wheel username" (replace "username" with the desired username). After the user is created you can use the command "passwd username" to set the new users password. 

Test the new user's access to SSH by connecting and logging in via SSH. After login use the sudo command as "su -" to elevate permissions and maintain environmental variables. If all goes well and no errors are displayed, you are ready to disable SSH access for the root user. 

To disable SSH access for the root user the sshd_config file needs to be edited. Use your favorite text editor to open the file /etc/ssh/sshd_config. For this example I'll use nano for simplicity "nano /etc/ssh/sshd_config". Once you have the file open use the search feature (in nano this is ctrl+w) to search for the word "root". The search should find the line that states "#PermitRootLogin yes". To change this default setting, remove the "#" at the beginning of the line and change "yes" to "no". The final line should look like this "PermitRootLogin no". Save the file with CTRL+o and close the file with CTRL+x. To apply the new configuration restart the SSH service with one of the following commands that is compatible with the operating system your server is running "/etc/init.d/sshd restart" or "/etc/init.d/ssh restart" or "service ssh restart" or "service sshd restart".  Restarting this service will not terminate any connections, but the new configuration will not permit SSH connection by the root user.

Using Alternate SSH Ports

Another strong defense against intrusion is to change the port on which SSH operates. In a common attack the attackers use the known ports to detect the presence of a server to which they can attempt brute force attacks. If the server admin has changed these ports many attack scanners will not detect that the server is available for control and the attack process will move on to other servers. 

To change the SSH port for your server there are some configuration changes you want to make before the port change, namely the firewall. If you are unfamiliar with the iptables firewall there is a article that can help here http://kb.serverpronto.com/cpage.php?id=IPTables+Firewall, but ensure you add and activate a firewall allowance for port you are changing SSH to operate on. Do not disable the port 22 rule which is the SSH default yet, you want to ensure the new configuration functions before closing access to teh default port.

Once the firewall changes are made you can alter the SSH configuration in the sshd_config file. To edit the configuration use your favorite text editor to open the file /etc/ssh/sshd_config. For this example I'll use nano for simplicity "nano /etc/ssh/sshd_config". Once you have the file open use the search feature (in nano this is ctrl+w) to search for the word "port". The search should find the line that states "#Port 22". Do not change this default setting, add a new below the line your search found that looks like this "Port 2200" (Change 2200 to the port you added to the firewall configuration above). Then remove the "#" at the beginning of the line your search found to allow SSH on both the default port and the new port. Save the file with CTRL+o and close the file with CTRL+x. To apply the new configuration restart the SSH service with one of the following commands that is compatible with the operating system your server is running "/etc/init.d/sshd restart" or "/etc/init.d/ssh restart" or "service ssh restart" or "service sshd restart".  Restarting this service will not terminate any connections, but the new configuration will now permit SSH connection on the new port.

Test your changes by opening a new SSH connection to the new port. If you successfully connect then you are ready to close the default ports. To close the default SSH ports reopen the SSH configuration file as you did in the step above and place the "#" back in front of the line that reads "Port 22". This will remove that port from the configuration after you restart the SSH service as described above. Using the instructions in teh linked article above you should also remove the port 22 rule in the iptables firewall. This will block all incoming connections on the default SSH port.

Do not forget what port you moved the SSH service to because once you disconnect any sessions already connected via port 22 you will not be able to reconnect to that port.

<PREVIOUS

NEXT>