Here we have mentioned some important information regarding certain helpful changes that can be made to your server in order to improve SSH (Secure Shell) security. It is recommended that you restrict and properly configure SSH access for securing your server.
You need to be cautious regarding whom you are granting SSH access. If any user doesn’t require SSH access, then you should not grant them such access. You need to use the Manage Shell Access interface of WHM in order to revoke the SSH access of a user.
WHM >> Home >> Account Functions >> Manage Shell Access
Some users might need SSH access, but they only need access to files in their home directory. It is recommended that a jailed shell environment be assigned to such users.
Before delving into it further, let us touch upon SSH.
What is SSH?
SSH is the abbreviation for Secure Shell Protocol. It is a cryptographic network protocol. It is used for operating network services in a secure manner over a network that is unsecure. Remote command-line, remote command execution, and login are its typical applications. SSH can be used to secure any network service. It was designed to be the replacement for Telnet, and for unsecure remote shell protocols. These unsecured remote shell protocols are the Berkeley rsh, and the related rlogin, and rexec protocols. Information, such as passwords, are sent in plaintext by these protocols. This renders them vulnerable with regard to interception, and disclosure, which can be attained through packet analysis. SSH’s encryption is meant for providing data confidentiality and data integrity over a network that is unsecure.
A secure channel is provided by SSH over a network that isn’t secure. This is attained through a client-server architecture, which connects an SSH client application with an SSH server. The specification of this protocol distinguishes between two versions that are referred to as SSH-1 and SSH-2.
SSH is usually used to access operating systems that are Unix-like, but it is capable of being used on Microsoft Windows. OpenSSH is used by Windows 10 as the default SSH client and SSH server.
Public-key cryptography is used by SSH in order to authenticate the remote computer, and to let it authenticate the user, if there is a need for it. SSH can be used in several ways. One of these involves the use of such public-private key pairs that are automatically generated for the purpose of encrypting a network connection, and then using password authentication to log on. Another way of using SSH for carrying out authentication involves the use of a public-private key pair that has been generated manually. This enables users or programs to log in without the need to specify a password. In such a situation it is possible for anyone to produce different keys’ (public and private) matching pair. The key that is public is placed on all computers, which need to enable access to the matching private key’s owner. The owner is supposed to keep the private key secret. Authentication is based on the private key, but the key is never transferred via the network during authentication. SSH merely verifies that it is the same entity that owns the matching private key, which is offering the public key. It is essential to verify unknown public keys in all versions of SSH, prior to accepting them as being valid. If the public key of an attacker is accepted without validation, it will lead to authorizing an unauthorized attacker as a licit user.
An SSH is usually used for the purpose of logging into a remote machine, and for executing commands. It supports functions such as, tunnelling, forwarding TCP ports and X11 connections. It is capable of transferring files with the aid of associated secure copy (SCP) protocols, or SSH file transfer (SFTP).
SSH is important in cloud computing for the purpose of resolving issues that have to do with connectivity, without having to deal with the security problems of exposing a cloud-based VM (Virtual Machine) directly on the Internet. In the context of cloud technology, let us digress and briefly mention that cloud hosting, which is a type of web hosting service, is growing in popularity day by day due to the numerous benefits that it has to offer. HTS Hosting offers various affordable plans for cloud hosting, along with the other types of hosting services. Due to the high quality of service delivered by HTS Hosting, it is regarded as the “Best Cloud Hosting Company” or as the “Top Cloud Hosting Company” globally and has witnessed a steady growth in its clientele.
Setting an SSH Legal Message
An SSH legal message, which is known as message of the day, or motd, is displayed by the system whenever anyone logs in to your server through SSH.
You need to use your preferred text editor in order to set the message. Your preferred text editor should be used to edit the /etc/motd file. Subsequently you should save your changes.
Using SSH Keys
It is possible to disable password authentication for SSH on one’s server. This forces users to log in through SSH with the aid of keys instead of passwords.
You need to carry out the following steps for this purpose:
1. Use the Manage root’s SSH Keys interface of WHM, in order to generate as well as download a root user’s key.
WHM >> Home >> Security Center >> Manage root’s SSH Keys
2. Use the SSH Password Authorization Tweak interface of WHM for disabling SSH’s password authentication.
WHM >> Home >> Security Center >> SSH Password Authorization Tweak
Strengthening the Security of SSH
The configuration settings of your server for SSH are contained in the /etc/ssh/sshd_config file.
It is recommended that you change the below-mentioned settings.
Port – The port number wherein the sshd daemon listens for connections. 49151 is the highest acceptable value.
Protocol – The SSH protocol used by your server. It is recommended that this value be changed to 2.
ListenAddress – The IP address wherein the sshd daemon listens for connections. This IP address must be owned by your server. It is strictly recommended that your main shared IP address isn’t used for this value. A custom DNS entry can be created specifically for the new SSH IP address. You need to create a zone file for this purpose, and subsequently add an A entry to the zone file. This has to be done to ensure the new nameserver entry.
PermitRootLogin – This is an option that is meant for specifying if people are allowed to directly log in to SSH as the root user. It is recommended that this value be set to no.
Editing the sshd_config File
You need to carry out the following steps for configuring the /etc/ssh/sshd_config file, so that your server’s security could be increased:
1. Log in to your server via SSH. This needs to be done as the root user. If direct root logins to SSH are not allowed by your server, then you should log in as your wheel user, and use the su command to ensure that you become the root user.
2. Next, you need to back up the sshd_config file through the below-mentioned command.
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak`date +%F`
3. Use a text editor to open the /etc/ssh/sshd_config file.
4. You need to uncomment the line which contains the parameter, in order to change a parameter in the sshd_config file. You should remove the number-sign character (#) for this purpose and change the line’s value. It needs to be mentioned here that if the default SSH port is changed, then you need to update the firewall configuration of your server in order to enable the traffic to the new port.
After you have configured SSH, you need to run the /scripts/restart_sshd script or the command, service sshd restart in order to restart the SSH daemon.
Once you have restarted SSH, log out of your server. Then you should log in again with the user, IP address, and the port number that have been specified in the sshd_config file.
It is necessary to make you aware of an important fact that if you misconfigure your SSH configuration file accidentally, then you should navigate to the below-mentioned link in your web browser.
https://example.com:2087/scripts2/doautofixer?autofix=safesshrestart
In it, the term, “example.com” represents the hostname of the server or main IP address.
This will temporarily configure an extra SSH configuration file for port 22. This will enable you to access, fix, and edit the original SSH configuration file. If port 22 is in use by another service or daemon, then the script configures an additional SSH configuration file for port 23.
With this we conclude the information related to some of the important ways for keeping SSH secure.
Comments