Posted on December 6th, 2012 in AWS, security, ssh | No Comments »
The popular port.
By default SSH runs on port 22 on your server. Though I’m not a proponent of security by obscurity, moving your SSHd to a high-number port (like 3293) will reduce the number of brute force attempts on your SSH by nearly 100% (Stats given by reviewing
/var/log/secure on servers I have or have had access to for years.) This used to be pretty important but even more so with cloud services like Amazon EC2 where hackers and script kiddies can ping sweep whole subnets of Amazon’s elastic IP ranges. (On a related note, Stackoverflow blocked all EC2 instances from accessing their site using the same approach.)
If for some reason though, you cannot move SSH ports—for example, you’re working in a legacy system where dozens or hundreds of people are already connecting to, the next best thing is to install DenyHosts, a free tool written in Python that reviews and bans IP addresses that make too many failed attempts.
Centos doesn’t have direct access to installing it. But you can install it by running the following:
sudo rpm -Uvh http://mirror.metrocast.net/fedora/epel/6/i386/epel-release-6-7.noarch.rpm sudo yum install denyhosts
After that, add your IP address to
/etc/hosts.allow in the format of
sshd: 220.127.116.118 so that it will never blacklist your IP, tweak
/etc/denyhosts.conf to your liking, and restart
sudo service denyhost restart. It started analyzing your
/var/log/secure and banning ips pretty instantly as you can see from this screenshot. After a few weeks it can optionally purge them so the ban list doesn’t get super big.
The folks at Digital Ocean have a great entry that can walk you through the rest.
Note: The one downside of switching SSH ports is that you can no longer use
git in it’s common syntax since
git uses SSH as it’s secure transport. See my article on using git on non-standart ports to solve that easily.
Hardening your /etc/ssh/sshd_config
There are a few adjustments you should make to your SSHd config so that it’s harder for the wrong person to gain access. This includes disabling password-based logins (everyone should be using SSH keys), disabling root user login, and throwing in a welcome message that this SSH session is being logged:
# Disable password based login. Only SSH keys are allowed. PasswordAuthentication no # Add a message banner notifying this server is logged. Banner /etc/ssh.go.txt # Do not allow root to login PermitRootLogin no # Deny root user login DenyUsers root
Following the above steps should make your SSH more secure. Happy SSHing!