Steps to Secure SSH Server

SSH attacks are normally happened if you are running SSH on comman Port 22 . If you have simple or weak root password then chances of your server get compromised .

We can secure SSH server with two methods :

Method 1:

A best option to secure your SSH is to run SSH on the different port instead of default port 22 .

Disable Root Logins
Disable password authentication
Disable Port 22 and use any other port to run SSH (like Port 59122). Aslo block port 22 using firewall.

You have to take following steps before you harden the SSH, first make sure you create a user name and password. If you are running cpanel, then you want to add the username to cpanel wheel group.

use commaands as follows

#adduser <username> -G wheel

#passwd <username>

Once the user has been created and added to Wheel group, edit the ssh configuration file /etc/ssh/sshd_conf

Change the default port 22 to any port number, say 2199 and set the protocol to just Protocol 2 which is a more secure protocol

#vi /etc/ssh/sshd_config

Port 59122
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

#LoginGraceTime 2m
IgnoreRhosts yes
X11Forwarding no

Disable root login

Locate the line # PermitRootLogin yes in the configuration file and change it to no

PermitRootLogin no

save configuration and restart your SSH . Now you won’t be able to login as root and will be able to login only at Port 59122

method 2: SSH Public/Private Key Authentication

SSH with public key authentication the best proven method to safeguard your SSH server. You have to put the private key in your putty (ssh client) and put the public key on your server

PrivateKey -> It should be Stored in Client and used by Putty

PublicKey -> It should be Stored in Remote Server ( in /home/<username>/.ssh/authorized_keys file)

The required tools as

Putty (SSH Login client)
PuttyGen (Putty Key Generator Tool to save Private key)

1 Enable the public key authentication you have to enable it in the SSH config file /etc/ssh/sshd_config. Look for the following lines and uncomment them

[HTML]RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
[/HTML]

2
we generate both public and private keys in the server.

[HTML][tux@localhost ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/<username>/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/<username>/.ssh/id_dsa.
Your public key has been saved in /home/<username>/.ssh/id_dsa.pub.
The key fingerprint is:
a9:22:30:c5:ed:df:2c:e7:7b:34:53:b4:82:bb:33:17 tux@localhost[/HTML]

id_dsa -> private key stored at /home/<username>/.ssh/

id_dsa.pub -> is the public key /home/<username>/.ssh/

3. copy Private Key to Putty (SSH client)

Here we need copy the private key from server to our putty in the form of .ppk file (putty private key file). private key must be stored in the client side and the public key in the server side

inside /home/<username>/.ssh/authorized_keys file

Open the file id_dsa and copy the contents of the file. On client side paste it into a notepad file (say privkey.txt). Make sure that there is no new line at the top or else you will get “invalid private key” from puttygen.

Start puttygen.exe > > Load Existing Private Key > > privkey.txt >> Save Private Key

Save the private key as privkey.ppk

4 Copying Public Key to Server

Create new file called authorized_keys inside .ssh folder within the users home directory as /home/<username>/.ssh/authorized_keys and store the public key there.
OR rename the existing id_dsa.pub to authorized_keys as we wont be needing the ida_dsa.pub file.

mv /home/<user>/.ssh/ida_dsa.pub authorized_keys

To connect ssh use putty

Start Putty > Enter servers IP address > New Port, then load the private key SSH > Auth > Browse Private Key for Authentication

Now connect and enter the user name the putty would authenticate yourself with public key authentication.

In this way you can secure your SSH .