When a new Linux based vpsie is deployed, it will have default SSH configuration file. This means that SSH server listens on TCP port 22 and accepts password based authentication.
In order to find systems with SSH port open in the internet, attackers send a TCP SYN packet to a broad range of IP addresses. The IP addresses returning a SYN+ACK packet are kept in a list of server to further brute force a username + password pair.
There are few simple measures to remove your self from the herd, by changing the openssh config file.
Here they are:
First, if you are able to connect to higher TCP ports from your internet connection(s) to destinations in the internet, especially your VPS server, then first change the SSH listen port to a higher one. !!! Note that this step has to be done only after you’ve made sure you can access your VPSie via the web console to avoid locking your self out !!!
As stated previously, attackers send a TCP SYN packet to destination port 22 to a broad range of IPs. Your server would not reply if SSH listens to other port.
In order to acomplish this, locate sshd_config (on both CentOS and Debian, it is located under “/etc/ssh” directory), edit it and change or uncomment the “ListenAddress” directive to something like “ListenAddress 0.0.0.0:10022”.
A little more about this directive. In Unix and Linux networking terms, the 32bytes all zero “0.0.0.0” address refers to all local addresses/all local interfaces. If you know what you’re doing you can either use this or be very specific on what IP address you want your SSH server to listen on. Here is another example to make it listen to a specific IP address “ListenAddress 10.1.1.53:10022”.
Save the configuration file and check:
# lsof -Pni :10022
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 14035 root 3u IPv4 182063 0t0 TCP 10.1.1.53:10022 (LISTEN)
The above confirms that command “sshd” with process ID 14035, file descriptor number 3u listens on IP 10.1.1.53 and port 10022 (non-standard port for SSH). The socket is IPv4 type.
The above is just an example. You should use the IP assigned on the interface intended to process SSH inbound connections.
A second best practice tool is to disable Pasword Authentication in SSH. This leaves you only the (secure) option to authenticate only using ssh keys.
Creating and implementing ssh keys is not the scope of this article (but o a future one) so I will assume this step has been completed. Here is what needs to be changed in “sshd_config” file:
...
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
...
PasswordAuthentication no
...
First three directives enable RSA authentication and enable the authorized_keys file to hold public keys. When SSH RSA authentication is implemented, remember that the SSH server ALWAYS keeps the public key and the user holds the private key. That’s why it is the user’s responsability to keep it safe and report it’s loss or worse, and the administrator’s responsability to react and remove the public key if the coresponding private key has been compromised.
Now, to confirm the above, I’m going to try to ssh to localhost:
$ ssh localhost
ssh: connect to host localhost port 22: Connection refused
Port 22 is not open any more.
$ ssh localhost -p 10022
ssh: connect to host localhost port 10022: Connection refused
Port 10022 isn’t working also. Why ? Because SSH listens to specific IP address:
$ ssh 10.1.1.53 -p 10022
Permission denied (publickey).
Ok. So I can’t login to port 22 any more and I can’t login using passwords.
Future article will describe details on how to use ssh key pair for ssh authentication.
You can actually try those security VPS hardening steps on our platform in few minutes utilizing our PCS (Private Cloud Solution) which allows you to have VPSie(s) on a private network – NAT – Port forward – traffic control for inbound and outbound – multiple gateway IPs which you could use for the load-balancing and failover.
Since we have quite a few VPSie apps which are using mysql database, and we don’t want to force anyone in using a preset password we have left that to your choice. To set up a root password for mysql servers you have to have a running mysql server therefore you have to run the following command:
#service mysqld restart
Now since you are sure that you have successfully restarted the server you can check if your mysql server is actually running by running a netstat on your linux.
#netstat -ntlp
This will show you all the applications which are listening on your server. The output should look something like this:
# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 960/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 904/nginx
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 876/sshd
tcp6 0 0 :::80 :::* LISTEN 904/nginx
tcp6 0 0 :::22 :::* LISTEN 876/sshd
Mysql servers are running by default on port 3306 therefore if you see the port 3306 listening you are good to go.
Next step is to set the root password so that noone would have passwordless access to your databases. You will be doing that by using the following command:
#mysqladmin -u root password 'some_very_hard_and_complicated_password'
To check that the password was configured you can login to your mysql database:
#mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 39
Server version: 5.5.37-0ubuntu0.14.04.1 (Ubuntu)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
When prompted for the password use the password which you have configured the previous step.
To leave the mysql prompt just type quit or \q.
In case you have lost/forgotten your mysql root password you can reset it. For that first you will need to stop the mysql server and start it in safe mode.
#service mysqld stop
#mysqld_safe --skip-grant-tables
You should see the mysql server started and be able to log in without a password into it. Now connect to the mysql database and run the following query to reset your mysql password:
#mysql --user=root mysql
mysql> update user set Password=PASSWORD('new-password') where user='root';
mysql> flush privileges;
mysql> exit;
Kill your running mysql service and start it normally.
#killall -9 mysqld_safe
#service mysqld start
Now your mysql password has been reset and you can safely login to your database with your new password.
You can actually try those MySQL server steps on our platform in few minutes utilizing our PCS (Private Cloud Solution) which allows you to have VPSie(s) on a private network – NAT – Port forward – traffic control for inbound and outbound – multiple gateway IPs which you could use for the load-balancing and failover.
FAQ
SSH hardening refers to the process of securing your Linux VPS (Virtual Private Server) by tightening the security configuration of the SSH (Secure Shell) service. This is done by disabling or limiting certain features of SSH that can be exploited by attackers to gain unauthorized access to your VPS.
SSH is one of the most commonly used methods for remotely accessing and managing Linux servers. However, it is also a prime target for attackers looking to gain unauthorized access to your server. SSH hardening is important because it helps to reduce the risk of successful attacks against your VPS by limiting the attack surface available to attackers.
Some common SSH hardening techniques include disabling root login, using SSH key authentication, changing the default SSH port, limiting access to specific IP addresses, and enforcing strong password policies.
To disable root login via SSH, you can modify the SSH daemon configuration file (/etc/ssh/sshd_config) and set the “PermitRootLogin” directive to “no”. After making the change, you will need to restart the service for the changes to take effect.
To use SSH key authentication, you will need to create a public/private key pair on your local machine and then copy the public key to your VPS. You can then configure your SSH daemon to only allow key-based authentication and disable password authentication. This is generally considered to be more secure than using passwords alone.
Changing the default SSH port can be an perfect way to reduce the risk of automated attacks that target the default SSH port (port 22). However, it is very important to note that this does not provide complete security and can be easily bypassed by determined attackers.
To limit access to specific IP addresses, you can configure your SSH daemon to only allow connections from a whitelist of trusted IP addresses. This can be done by modifying the “sshd_config” file and using the “AllowUsers” or “AllowGroups” directives to specify the allowed IP addresses.
Other best practices for SSH hardening include keeping your SSH daemon and operating system up to date with the latest security patches, implementing intrusion detection and prevention systems, using two-factor authentication, and monitoring your SSH logs for suspicious activity.