13,420
edits
Changes
no edit summary
|- valign="top"
|{{Admon/note |Hardening your Linux Server | Anytime you configure your computer to allow logins from the network you are leaving yourself '''vulnerable to potential unauthorized access ''' by so called "hackers". Running the sshd service is a fairly common practice but '''care must be taken to make things more difficult for those hackers that attempt to use "brute force" attacks to gain access to your system. Hackers use their knowledge of your system and many password guesses to gain access'''. They know which port is likely open to attack (TCP:22), the administrative account name (root), all they need to do is to "guess" the password.<br><br> Making your root password (and all other accounts!) both quite complex but easy to remember is not hard. '''Passwords should be a minimum of 8 characters long''', preferably longer, contain upper and lower case letters, numbers, and special characters. A good example of a strong password might be "LotR3--RotK." This is not that hard to remember as it corresponds to a book title. "Lord of the Rings 3 Return of the King." The password "P@ssw0rd!" is not as good because it is quite obvious and common.}}
|}
# Think of a good quality password and change your root passwords on all 3 VM's to be more secure. (It would be a good idea to do this for non-root accounts also)
# The next change you can make is to prevent the root account from logging in to sshd altogether.
# Edit the file <code>'''/etc/ssh/sshd_config</code> ''' and look for the option <code'''>PermitRootLogin</code>'''. Uncomment the option (or add the option if it does not appear) and change the option value to <code>'''"no"</code>'''.
# Even better, it is possible to restrict access to just specific users that require it.
# Edit the file <code>'''/etc/ssh/sshd_config</code> ''' and add a new option of <code>'''"AllowUsers account"</code> ''' using your login account for account.# In order for these changes to be effective, issue the following command to restart the sshd service:<br /><b><code><span style="color:#3366CC;font-size:1.2em;">service sshd restart</span></code></b># Now any hacking attempt also has to guess an account name as well as the password. If you need to ssh with root access, ssh as a regular user and use <code>'''su -</code> ''' to become root.
# Next change the default port number that sshd uses (TCP:22).
# Edit the sshd configuration file again and change the port number it uses to 2200.
# Restart the service.
# Confirm the new port is being used with a <code>the '''netstat</code> ''' command.# Before we can use this new port we must change our firewall to allow traffic through the new port number and block access to port 22by issuing the command:<br /><b><code><span style="color:#3366CC;font-size:1.2em;">iptables -I INPUT -p tcp -s0/0 --dport 22 2200 -j DROPACCEPT</span></code><br /b><code>iptables -I INPUT -p tcp -s0/0 --dport 2200 22 -j ACCEPTDROP</code><br /># To test the new port connect to '''centos1''' from '''centos2''' using the following command:<br /><b><code><span style="color:#3366CC;font-size:1.2em;">ssh -p 2200 user@centos1</span></code></b>
{{Admon/important|Cannot connect via SSH?|To fix issues with the ability to ssh, on both machines:<ul><li>Ensure ssh is running. Systemctl status sshd.service.</li><li>Disable selinux by going into /etc/selinux/config and change "enforcing" to "disabled"; "targeted" to "minimum".</li><li>If your are still encountering problems flush iptables.</li></ul>}}
{{Admon/tip | Tip! | For scp access the option to be used is: <code>scp -P 2200</code>}}
{{Admon/tip | Tip! | For more ideas on making sshd more secure consult the HOW-TO link above.}}
<ol><li value="14">Finally as a system administrator you should periodically monitor your system logs for unauthorized login attempts.</li>
<li>On CentOS systems the log file that is used is <code>'''/var/log/secure</code> ''' </li><li>It also logs all uses of the <code>'''su</code> ''' and <code>'''sudo</code> ''' commands.</li><li>Attempt to connect to all of your VM's as root and other users using both public key and password authentication. Use some '''su ''' and '''sudo ''' commands also. </li>
<li>Inspect the log to see what kind of information is logged.</li>
</ol>