3 Tips to Secure SSH Access on a cPanel Server

SSH is the gateway to a linux server. To do any advanced tasks in the server, we need the command line access and it is provided by the SSH service. So, keeping the SSH access to a server secure means keeping the server secure. There are a lot of ways to secure SSH service. Ideally we need to close all vulnerabilities.

1. Disallow Root Login

Disabling direct root login to a server is the primary task to be done. This way, you can enable top two level password authentication to be the root of a server. If any user need to login as root, they need to SSH to the server as the user, and then perform a ” su ” to gain root privileges.

The steps are as below:

  1. Add a user using the useradd command.
    useradd admin
  2. Assign a password
    passwd admin
  3. Add this user to wheel group by editing the /etc/group file.  After adding the user to wheel group the /etc/groupfile should contain something like below
    wheel:x:xx:root,admin
  4. Try to connect to the server using ssh mail client like putty with the password you set.

    Replace the hostname with the actual hostname of the server or IP address of the server. It will prompt for the password of user admin.   Type the password and make sure you are able to login as user admin.

  5. Once you login as user admin, try to su as root with the root password. So type su and hit enter
    su -
    password: type the root password here

    Make sure you are able to login as root now.

  6. Now edit the /etc/ssh/sshd_configusing  file with vi or any of your favorite editor:
    vi /etc/ssh/sshd_config
  7. Uncomment the following directive and set it to “no”:
    PermitRootLogin no
  8. Save and exit.
  9. Restart ssh with:
    service sshd restart
  10. Exit the server and make sure you are not able to login directly as root.

2. Change the default SSH Port

We can change the default ssh port which is usually 22 to protect ssh access to cpanel server. Here’s how to do this:

  1. Edit /etc/ssh/sshd_config with vi editor.
  2. Uncomment the “Port” directive and set it to any value of your choice e.g. 7799.
  3. Save and exit the editor.
  4. Restart ssh and check if the new port is working and the default port 22 is disabled.
  5. Make sure the new port is allowed in the  firewall of the server.

3. Use SSH Key Authentication

Using ssh keys for authentication is most popular way to secure ssh access to cpanel server.  The ssh keys are generated as a pair and are preferred over password authentication.  The ssh keys are a unique combination of a private and public key with the public key on the server and the private key of the pair residing on the client machine.

  1. To enable ssh key authentication click Manage Root’s SSH Keys under Security Centre in WHM.
  2. Click on Generate a New Key.
  3. The next page will ask for ssh key parameters like username (this will be root), password(save this with you), key type(DSA or RSA) and size (2084 bit is ok).  Then click Generate Key.
  4. Download the keys by clicking View/Download Key.  This will download the private key on your local machine.
  5. If you are using linux save/download the key under ~/.ssh/id_rsa (or id_dsa if this was a DSA key).
  6. If you are using putty, use PuTTYgen to generate the keys.  Upload the public key to the server under ~/.ssh/id_rsa.  Save the private key on the local computer and use Pageant to load the private key while doing SSH to the server.
  7. Finally disable password authentication.  You can do that under Security Center by clicking Disable Password Authentication under SSH Password Authentication Tweak.

Note that if password authentication is not disabled you will be able to login to the server using keys as well as password authentication method.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close Menu