Hardening SSH

[Jonny]

Hi,

Im wanting to harden my VPS SSH and ive read some tutorials and decided what i want to do:

I want to disable root login and use "su" and i want to change the port which ssh connects to. Could someone please confirm that the following commands are correct:

1. pico (or other) and open /etc/ssh/sshd_config
2. Uncomment #PermitRootLogin yer to PermitRootLogin no

How would the su command then work etc? how would i go about logging into ssh? would i need to make my account in whm ssh enabled, login with that, then "su". Whats required when I "su"?

1. pico (or other) and open /etc/ssh/sshd_config
2. Uncomment #Port 22 to #Port {portnohere}

Once ive restarted ssh would i just need to change the access port on my ssh program for this to work and be able to access ssh?

Also, Ive read that ssh2 is more secure than ssh1. If i uncomment the line #Protocol 2,1 to Protocol 1. Will you, as my host, support this?

thanks for any help!

jonny

[Jonny]

Just wondering if anyone can help me with this?

thanks in advance!

[Andre]

Hi Jonny,

Sorry for not responding sooner, hadn't noticed your post

1. pico (or other) and open /etc/ssh/sshd_config
2. Uncomment #PermitRootLogin yer to PermitRootLogin no

Those steps are correct, however before you do that you would first have to create a username which will function as "su user", otherwise you may lock yourself out.

If I recall correctly you run cPanel, so the easiest way to add a new user is by adding a new user in WHM (just create a new account with a dummy domain name). After that login to SSH and edit /etc/group and add the username which you just created to the wheel group.

After that, perform the two steps you described and restart SSH. You can now no longer login as root directly. If you want to become root you would first have to login with the "su user" and then enter "su -". Instead of "su -" you can also just enter "su", but "su -" will directly take you to the root directory. At this point you can enter the root password and you're done.

Also, Ive read that ssh2 is more secure than ssh1. If i uncomment the line #Protocol 2,1 to Protocol 1. Will you, as my host, support this?

Yes we support that, infact we recommend it. You would have to use "Protocol 2" though, not 1

When you perform the above steps, make sure to include the su steps whenever you open a support ticket.

Also while you're on it, you may also want to look into restricting access for 22 to only specific IPs, so only authorized IP addresses can connect to SSH at all. This is only useful if you have a static IP and don't need access from other locations, but if you can use it, it'll add a lot of security (and then you also won't really need the su steps anymore).

[Jonny]

Thanks andre!

woops thats what ment to put 2, not 1 lol. Unfortunatly I live quite remotely so I can only receive ADSL, thus, its not a static IP, although i could request one.

Also, with regards to changing the port, if i change the port in /etc/ssh/sshd_config would this change the port throughout the VPS, whm, virtuozzo etc or would some additional changed be required? Would some checks be required also before any port changes were made?

thanks again!

[PaulStuffins]

Jonny,

If you could find out the netmask your DSL provider use you can restrict SSH to only the IP's that your DSL providor use.

Although that is not as secure as only one IP it is a start.

Paul

[Jonny]

Thanks Paul,

ill look into this