How to secure your Linux VPS - SSH hardening
The above confirms that command “sshd” with process ID 14035, file descriptor number 3u listens on IP 10.1.1.53 and port 10022 (non-standard port for SSH). The socket is IPv4 type. The above is just an example. You should use the IP assigned on the interface intended to process SSH inbound connections. A second best practice tool is to disable Pasword Authentication in SSH. This leaves you only the (secure) option to authenticate only using ssh keys. Creating and implementing ssh keys is not the scope of this article (but o a future one) so I will assume this step has been completed. Here is what needs to be changed in “sshd_config” file:
# lsof -Pni :10022 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 14035 root 3u IPv4 182063 0t0 TCP 10.1.1.53:10022 (LISTEN)
First three directives enable RSA authentication and enable the authorized_keys file to hold public keys. When SSH RSA authentication is implemented, remember that the SSH server ALWAYS keeps the public key and the user holds the private key. That’s why it is the user’s responsability to keep it safe and report it’s loss or worse, and the administrator’s responsability to react and remove the public key if the coresponding private key has been compromised. Now, to confirm the above, I’m going to try to ssh to localhost:
... RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys ... PasswordAuthentication no ...
Port 22 is not open any more.
$ ssh localhost ssh: connect to host localhost port 22: Connection refused
Port 10022 isn’t working also. Why ? Because SSH listens to specific IP address:
$ ssh localhost -p 10022 ssh: connect to host localhost port 10022: Connection refused
Ok. So I can’t login to port 22 any more and I can’t login using passwords. Future article will describe details on how to use ssh key pair for ssh authentication.
$ ssh 10.1.1.53 -p 10022 Permission denied (publickey).
You can actually try those security VPS hardening steps on our platform in few minutes utilizing our PCS (Private Cloud Solution) which allows you to have VPSie(s) on a private network – NAT – Port forward – traffic control for inbound and outbound – multiple gateway IPs which you could use for the load-balancing and failover.
Now since you are sure that you have successfully restarted the server you can check if your mysql server is actually running by running a netstat on your linux.
#service mysqld restart
This will show you all the applications which are listening on your server. The output should look something like this:
Mysql servers are running by default on port 3306 therefore if you see the port 3306 listening you are good to go. Next step is to set the root password so that noone would have passwordless access to your databases. You will be doing that by using the following command:
# netstat -ntlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 960/mysqld tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 904/nginx tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 876/sshd tcp6 0 0 :::80 :::* LISTEN 904/nginx tcp6 0 0 :::22 :::* LISTEN 876/sshd
To check that the password was configured you can login to your mysql database:
#mysqladmin -u root password 'some_very_hard_and_complicated_password'
When prompted for the password use the password which you have configured the previous step. To leave the mysql prompt just type quit or \q. In case you have lost/forgotten your mysql root password you can reset it. For that first you will need to stop the mysql server and start it in safe mode.
#mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 39 Server version: 5.5.37-0ubuntu0.14.04.1 (Ubuntu) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
You should see the mysql server started and be able to log in without a password into it. Now connect to the mysql database and run the following query to reset your mysql password:
#service mysqld stop #mysqld_safe --skip-grant-tables
Kill your running mysql service and start it normally.
#mysql --user=root mysql mysql> update user set Password=PASSWORD('new-password') where user='root'; mysql> flush privileges; mysql> exit;
Now your mysql password has been reset and you can safely login to your database with your new password.
#killall -9 mysqld_safe #service mysqld start
You can actually try those MySQL server steps on our platform in few minutes utilizing our PCS (Private Cloud Solution) which allows you to have VPSie(s) on a private network – NAT – Port forward – traffic control for inbound and outbound – multiple gateway IPs which you could use for the load-balancing and failover.