SSH is the gateway to a linux server. To do any advanced tasks in the server, we need the command line access and it is provided by the SSH service. So, keeping the SSH access to a server secure means keeping the server secure. There are a lot of ways to secure SSH service. Ideally we need to close all vulnerabilities.
1. Disallow Root Login
Disabling direct root login to a server is the primary task to be done. This way, you can enable top two level password authentication to be the root of a server. If any user need to login as root, they need to SSH to the server as the user, and then perform a ” su ” to gain root privileges.
The steps are as below:
- Add a user using the useradd command.
- Assign a password
- Add this user to wheel group by editing the /etc/group file. After adding the user to wheel group the /etc/groupfile should contain something like below
- Try to connect to the server using ssh mail client like putty with the password you set.
Replace the hostname with the actual hostname of the server or IP address of the server. It will prompt for the password of user admin. Type the password and make sure you are able to login as user admin.
- Once you login as user admin, try to su as root with the root password. So type su and hit enter
su - password: type the root password here
Make sure you are able to login as root now.
- Now edit the /etc/ssh/sshd_configusing file with vi or any of your favorite editor:
- Uncomment the following directive and set it to “no”:
- Save and exit.
- Restart ssh with:
service sshd restart
- Exit the server and make sure you are not able to login directly as root.
2. Change the default SSH Port
We can change the default ssh port which is usually 22 to protect ssh access to cpanel server. Here’s how to do this:
- Edit /etc/ssh/sshd_config with vi editor.
- Uncomment the “Port” directive and set it to any value of your choice e.g. 7799.
- Save and exit the editor.
- Restart ssh and check if the new port is working and the default port 22 is disabled.
- Make sure the new port is allowed in the firewall of the server.
3. Use SSH Key Authentication
Using ssh keys for authentication is most popular way to secure ssh access to cpanel server. The ssh keys are generated as a pair and are preferred over password authentication. The ssh keys are a unique combination of a private and public key with the public key on the server and the private key of the pair residing on the client machine.
- To enable ssh key authentication click Manage Root’s SSH Keys under Security Centre in WHM.
- Click on Generate a New Key.
- The next page will ask for ssh key parameters like username (this will be root), password(save this with you), key type(DSA or RSA) and size (2084 bit is ok). Then click Generate Key.
- Download the keys by clicking View/Download Key. This will download the private key on your local machine.
- If you are using linux save/download the key under ~/.ssh/id_rsa (or id_dsa if this was a DSA key).
- If you are using putty, use PuTTYgen to generate the keys. Upload the public key to the server under ~/.ssh/id_rsa. Save the private key on the local computer and use Pageant to load the private key while doing SSH to the server.
- Finally disable password authentication. You can do that under Security Center by clicking Disable Password Authentication under SSH Password Authentication Tweak.
Note that if password authentication is not disabled you will be able to login to the server using keys as well as password authentication method.