Nov 3, 2014

How to secure your Linux VPS - SSH hardening

How to secure your Linux VPS – SSH hardening When a new Linux based vpsie is deployed, it will have default SSH configuration file. This means that SSH server listens on TCP port 22 and accepts password based authentication. In order to find systems with SSH port open in the internet, attackers send a TCP SYN packet to a broad range of IP addresses. The IP addresses returning a SYN+ACK packet are kept in a list of server to further brute force a username + password pair. There are few simple measures to remove your self from the herd, by changing the openssh config file. Here they are: First, if you are able to connect to higher TCP ports from your internet connection(s) to destinations in the internet, especially your VPS server, then first change the SSH listen port to a higher one. !!! Note that this step has to be done only after you’ve made sure you can access your VPSie via the web console to avoid locking your self out !!! As stated previously, attackers send a TCP SYN packet to destination port 22 to a broad range of IPs. Your server would not reply if SSH listens to other port. In order to acomplish this, locate sshd_config (on both CentOS and Debian, it is located under “/etc/ssh” directory), edit it and change or uncomment the “ListenAddress” directive to something like “ListenAddress”. A little more about this directive. In Unix and Linux networking terms, the 32bytes all zero “” address refers to all local addresses/all local interfaces. If you know what you’re doing you can either use this or be very specific on what IP address you want your SSH server to listen on. Here is another example to make it listen to a specific IP address “ListenAddress”. Save the configuration file and check:
# lsof -Pni :10022
sshd 14035 root 3u IPv4 182063 0t0 TCP (LISTEN)
The above confirms that command “sshd” with process ID 14035, file descriptor number 3u listens on IP and port 10022 (non-standard port for SSH). The socket is IPv4 type. The above is just an example. You should use the IP assigned on the interface intended to process SSH inbound connections. A second best practice tool is to disable Pasword Authentication in SSH. This leaves you only the (secure) option to authenticate only using ssh keys. Creating and implementing ssh keys is not the scope of this article (but o a future one) so I will assume this step has been completed. Here is what needs to be changed in “sshd_config” file:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
PasswordAuthentication no
First three directives enable RSA authentication and enable the authorized_keys file to hold public keys. When SSH RSA authentication is implemented, remember that the SSH server ALWAYS keeps the public key and the user holds the private key. That’s why it is the user’s responsability to keep it safe and report it’s loss or worse, and the administrator’s responsability to react and remove the public key if the coresponding private key has been compromised. Now, to confirm the above, I’m going to try to ssh to localhost:
$ ssh localhost
ssh: connect to host localhost port 22: Connection refused
Port 22 is not open any more.
$ ssh localhost -p 10022
ssh: connect to host localhost port 10022: Connection refused
Port 10022 isn’t working also. Why ? Because SSH listens to specific IP address:
$ ssh -p 10022
Permission denied (publickey).
Ok. So I can’t login to port 22 any more and I can’t login using passwords. Future article will describe details on how to use ssh key pair for ssh authentication.  

You can actually try those security VPS hardening steps on our platform in few minutes utilizing our PCS (Private Cloud Solution) which allows you to have VPSie(s) on a private network – NAT – Port forward – traffic control for inbound and outbound – multiple gateway IPs which you could use for the load-balancing and failover.

Since we have quite a few VPSie apps which are using mysql database, and we don’t want to force anyone in using a preset password we have left that to your choice. To set up a root password for mysql servers you have to have a running mysql server therefore you have to run the following command:
#service mysqld restart
Now since you are sure that you have successfully restarted the server you can check if your mysql server is actually running by running a netstat on your linux.
#netstat -ntlp
This will show you all the applications which are listening on your server. The output should look something like this:
# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0*               LISTEN      960/mysqld      
tcp        0      0    *               LISTEN      904/nginx       
tcp        0      0    *               LISTEN      876/sshd        
tcp6       0      0 :::80                   :::*                    LISTEN      904/nginx       
tcp6       0      0 :::22                   :::*                    LISTEN      876/sshd        
Mysql servers are running by default on port 3306 therefore if you see the port 3306 listening you are good to go. Next step is to set the root password so that noone would have passwordless access to your databases. You will be doing that by using the following command:
#mysqladmin -u root password 'some_very_hard_and_complicated_password'
To check that the password was configured you can login to your mysql database:
#mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 39
Server version: 5.5.37-0ubuntu0.14.04.1 (Ubuntu)

Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

When prompted for the password use the password which you have configured the previous step. To leave the mysql prompt just type quit or \q. In case you have lost/forgotten your mysql root password you can reset it. For that first you will need to stop the mysql server and start it in safe mode.
#service mysqld stop
#mysqld_safe --skip-grant-tables
You should see the mysql server started and be able to log in without a password into it. Now connect to the mysql database and run the following query to reset your mysql password:
#mysql --user=root mysql
mysql> update user set Password=PASSWORD('new-password') where user='root';
mysql> flush privileges;
mysql> exit;
Kill your running mysql service and start it normally.
#killall -9 mysqld_safe
#service mysqld start
Now your mysql password has been reset and you can safely login to your database with your new password.

You can actually try those MySQL server steps on our platform in few minutes utilizing our PCS (Private Cloud Solution) which allows you to have VPSie(s) on a private network – NAT – Port forward – traffic control for inbound and outbound – multiple gateway IPs which you could use for the load-balancing and failover.