This will be a series of posts about configuring a Linux server (I’m working with Ubuntu, but should work with minor changes with other distributions), mainly because I have done this several times now by reviewing different websites and blogs, so I wanted to do a guide that works for me (and maybe for others too).
First, we create a user to avoid the use of root (in case you are not using the default Ubuntu installation, that asks you to create a user):
$ adduser myuser Adding user 'myuser' ... Adding new group 'myuser' (1000) ... Adding new user 'myuser' (1000) with group 'myuser' ... Creating home directory '/home/myuser' ... Copying files from '/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for myuser Enter the new value, or press ENTER for the default Full Name : Room Number : Work Phone : Home Phone : Other : Is the information correct? [Y/n] y
It is also possible to use the command useradd (that is a linux command itself, not that user-friendly) instead of useradd (this one is a perl script that makes a little more easy user creation).
We need to assign add this user to the sudoers (users that are able to use the sudo command to make changes to the system).
And add the following line:
myuser ALL=(ALL) ALL
Then, we need to hardening SSH server (be very careful about this modifications because if SSH is the only way you have to configure your server, any error may left you lock out of your box).
Before making any change, we better make a backup of our original config file:
$ cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bk
Then, we need to change the following parameters on /etc/ssh/sshd_config:
- Port Number: Change it to any random port number, try to use one that any known service uses, see the list of services in here.
- Listen Address: Instead of listen to every interface on your server, just listen to the main IP address.
- Protocol: Make sure that this parameter is set to 2 (instead of 2, 1).
- If possible, avoid root login by disabling PermitRootLogin. All root operations can be done using sudo command (at least on Debian/Ubuntu based distributions). Make sure you have created other users on your box, and add them to the allow list of users to log through SSH (AllowUsers [username1] [username2] parameter).
- Disable X11Forwarding.
- Replace password authentication with Public/Private Keys. To do this, make sure your users have their Private Keys and the Public Keys are configured on the server. Then, disable PasswordAuthentication and UsePAM parameters. Make sure that RSAAuthentication and Pubkeyauthentication parameters are enabled.
- If you have noticed that OpenSSH server may take a while from the moment you enter your username and the password prompt, it is because it tries to make some DNS resolves. You can avoid this by disabling UseDNS parameter.
You should end with a file like this:
Port XXXX ListenAddress XXX.XXX.XXX.XXX [...] PermitRootLogin no [...] RSAAuthentication yes PubkeyAuthentication yes [...] PasswordAuthentication no [...] X11Forwarding no [...] UsePAM no UseDNS no AllowUsers myuser user2
Then, we need to restart the SSH server by doing:
$ /etc/init.d/ssh restart
Do not close your current session, just open another to your box using the new port, this way we make sure we are not locked out of it.
On the next post I will be configuring IPTables as a firewall for our box.
UPDATE 17/Apr/2010: Parameter PasswordAuthentication included for disabling keyboard-interactive authentication.
In this link you can find a very good explanation about the main options on SSH config file.