VPS Setup Record - SSH Security

The VPS info I have is listed in VPS Setup Record - Basics, and I have talked about how to install LAMP at VPS Setup Record - LAMP. This is a follow-up post that targets at making our VPS more secure. Remember, to use vim to edit files, you need to press i to start inserting. When you finish, type on your keyboard :wq to save and exit.

Using Strong Password

The first thing is to make the password stronger and harder to be hacked. A good password should include at least one capital letter, one number, and one symbol. It should be of length > 8, and it should NOT contain any commonly used password like what has been listed here.

Use a password manager if you are afraid of forgetting the passwords. Get a trustable password manager as listed here.

Strengthen Our SSH

SSH can be vulnerable if you don't set it up correctly.

sudo vim /etc/ssh/sshd_config

Find and make changes/uncomment with the following lines (referred from here):

PermitRootLogin no # disable remote login as root
PermitEmptyPassword no # never allow empty password to login
PasswordAuthentication no # disable the password authentication (optional, do so only if you can login with your private key)
ChallengeResponseAuthentication no # disable challenge-response authentication in case of PAM for OpenSSH
UsePAM no
X11Forwarding no # disable GUI
Banner /etc/issue

You can also limit the users who can SSH.

AllowUsers xxx # username

If you have multiple users and want to setup different permissions for each one of them, you can append in the end of sshd_config file the following, for example:

Match User xxx # username
    X11Forwarding yes

After saving the file, do the following to restart the SSH service.

sudo service sshd restart

Remove Insecure Packages

sudo yum remove telnet rsh ftp rcp

Delete Unnecessary Users and Groups

This is optional. In my opinion, it's always safe to have less "accounts" that can log into or take over my VPS host. Execute the following code to check what users and groups you have.

sudo -i
cat /etc/passwd # check what are the users
cat /etc/group

Then make a copy of the current version:

cp /etc/passwd /etc/passwd_bak
cp /etc/group /etc/group_bak

Remove the users and groups that are unnecessary

for a in adm lp sync news uucp operator games gopher mailnull nscd; do /usr/sbin/userdel $a -f; done
for a in lp news uucp games gopher users floopy nscd nfsnobody; do /usr/sbin/groupdel $a -f; done

1 comment

Leave a comment

Your email address will not be published. Required fields are marked *