How to secure Debian Server 9.X – Disable root login & change SSH port
Now we’ve already setup our SSH keys, we can harden the server even more. If you have not setup SSH keys, please check my other post here
Changing the Port that the SSH Daemon Runs On
I suggest that you change the default port that SSH runs on. This can help decrease the number of authentication attempts your server is subjected to from automated bots.
To change the port that the SSH daemon listens on, you will have to log into your remote server. Open the sshd_config file on the remote system with root privileges, either by logging in with that user or by using sudo:
|
1 |
sudo nano /etc/ssh/sshd_config |
Once you are inside, you can change the port that SSH runs on by finding the Port 22 specification and modifying it to reflect the port you wish to use. For instance, to change the port to 4444, put this in your file:
|
1 2 |
#Port 22 Port 4444 |
Save and close the file when you are finished. To implement the changes, you must restart the SSH daemon.
|
1 |
sudo systemctl restart ssh |
After the daemon restarts, you will need to authenticate by specifying the port number. We will take a look at how to do this later on.
Limiting the Users Who can Connect Through SSH
To explicitly limit the user accounts who are able to login through SSH, you can take a few different approaches, each of which involve editing the SSH daemon config file.
On your remote server, open this file now with root or sudo privileges:
|
1 |
sudo nano /etc/ssh/sshd_config |
The first method of specifying the accounts that are allowed to login is using the AllowUsers directive. Search for the AllowUsers directive in the file. If one does not exist, create it anywhere. After the directive, list the user accounts that should be allowed to login through SSH:
|
1 |
AllowUsers user1 user2 |
Save and close the file. Restart the daemon to implement your changes.
|
1 |
sudo systemctl restart ssh |
If you are more comfortable with group management, you can use the AllowGroups directive instead. If this is the case, just add a single group that should be allowed SSH access (we will create this group and add members momentarily):
|
1 |
AllowGroups sshusers |
Save and close the file.
Now, you can create a system group (without a home directory) matching the group you specified by typing:
|
1 |
sudo groupadd -r sshusers |
Make sure that you add whatever user accounts you need to this group. This can be done by typing:
|
1 2 |
sudo usermod -a -G sshusers sammy sudo usermod -a -G sshusers brian |
Change the username (sammy & brian) with the user you would like to add. Now, restart the SSH daemon to implement your changes.
|
1 |
sudo systemctl restart ssh |
Disabling Root Login
It is often advisable to completely disable root login through SSH after you have set up an SSH user account that has sudo privileges. Like explained before, if your user gets hacked they won’t have full privileges on the server.
First of all, create a user with sudo privileges. Change the user1 to a user you would like to create.
|
1 |
useradd -m user1 -G sudo |
Then change the usernames password with a password you like.
|
1 |
passwd user1 |
The output will look like this. If you enter your password, it will not show anything for security reasons.
|
1 2 3 |
Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully |
Disabling root login
To do this, open the SSH daemon configuration file with root or sudo on your remote server.
|
1 |
sudo nano /etc/ssh/sshd_config |
Inside, search for a directive called PermitRootLogin. If it is commented, uncomment it. Change the value to “no”:
|
1 |
PermitRootLogin no |
Save and close the file. To implement your changes, restart the SSH daemon.
|
1 |
sudo systemctl restart ssh |
Conclusion
You should now have secured your SSH good enough so you won’t be hacked.
If you would like to know more about hardening your Linux server, check the next parts.
Leave a Reply