Administration Tips 01: SSH tweaks on your new remote server

September 1st, 2007 by Timothy O'Connell

Hola, gang: my name is Tim and I'm going to be contributing to the AE blog periodically. I'll be contributing tips and advice and I'll be writing from an admin's perspective.

A bit about me: I'm a system administrator and I work for a small, freelance IT company. Ours is a Debian shop; we've got a handful of programmers, two admins and we do custom apps in addition to other IT support work for clients. I'm the junior guy at my place and, basically, I'm the understudy to one of greatest admins who ever jocked a console.

As this is my first post, I am going to keep it short and simple. I assume only that you have a basic understanding of bash. In fact, I think that's the only assumption that I'm going to make from here on out.

Now that virtual servers are all the rage and remote hosting is unignorably cheap, lots of cats with very limited prior experience are finding themselves playing administrator on machines responsible for serving important apps, sites, etc.

One of the first, easiest and best things you can do to improve the security of your remote box is lock SSH down tight. Assuming you've already got root on your remote box and the "ssh" package installed, what you're going to want to do next is make your personal user an sudoer with full access:

# aptitude install sudo
...
# echo "toconnell ALL=(ALL) ALL" >> /etc/sudoers

Now edit /etc/ssh/sshd_config with your favorite editor to prevent remote users from logging on to your box as root and change the SSH server's default port:

Port 222
PermitRootLogin no

Now restart your ssh server:

# /etc/init.d/ssh restart

The big idea here is that no one can log in as root and the hundreds of bots/zombies that will be constantly pinging your IP address on port 22 will be rejected summarily (and not fill up your logs with half-assed attempts to root your box); to them it will appear as though you are not even running an SSH server.

And that's about it: you modified three lines in two conf flies and hardened your Debian server up substantially. There are some trade-offs, of course. In order to root your box remotely, you've got to specify the port on which you want to connect and then su to root:

$ ssh -p 222 toconnell@remoteserver.com
toconnell@remoteserver.com's password:
toconnell@remoteserver:~$ sudo su
Password:
remoteserver:/home/toconnell#

In my estimation, the slight inconvenience is worth it. If you don't believe me, take a look at your logs and see who is knocking on your door, how often and in what manner.

Comments

Posting code? Please use Pastie.

Have a question? Please visit the Forum.

No comments yet.