Securing SSH on Ubuntu 14.04
After you create a new server, there are some configuration tweaks that you should make to harden the security of your server.
Create a new user
As the root user, you have privileges to do anything that you want with the server - no restrictions. Because of this, it is better to avoid using the root user account for every task on your server. Let's start by making a new user. Replace
username with the desired user name:
Choose a new secure password and respond to the questions accordingly (or just hit ENTER to use the default value).
Giving user root privileges
New user accounts don't have privileges outside of their home folder and cannot run commands that will alter the server (like
upgrade). To avoid the use of the root account, we will give the user root privileges. There are two ways of doing this:
Adding user to sudo group
The easy way is to add the user to the
sudo group. Replace
username with the desired user name:
adduser username sudo
This will add the user to the group
sudo. This group has the privilege of running the commands with sudo access.
Modifying sudoers file
The other way is to put your user in the
sudoers file. If your server has multiple users with root privileges, then this approach is somewhat better because if someone messes with the
sudo group, you will be still able to run commands with root privileges to work on the server.
First, run this command:
This will open the
sudoers file. This file contains the definitions of groups and users who can run commands with root privileges.
root ALL=(ALL:ALL) ALL
After this line, write your user name and grant it full root privileges. Replace
username ALL=(ALL:ALL) ALL
Save and close the file (Ctrl + O and Ctrl + X in nano).
Testing your new user
To login to your new user account without
login, simply call:
Test sudo permissions using this command:
sudo apt-get update
The shell will ask for your password. If sudo was configured properly, then your repositories should be updated. Otherwise, review the previous steps.
Now, logout from the new user:
Sudo setup is complete.
The next part of this guide involves securing the ssh login to the server. First, change the root password:
Choose something hard to guess, but that you can remember.
SSH keys are a safer way to login. If you are not interested in SSH keys, skip to the next part of the tutorial.
Use the following Vultr Doc to make an SSH key: How Do I Generate SSH Keys?
After you get your public key, login with your new user again.
Now make the
.ssh directory and the
authorized_keys file in the home directory of that user account.
cd ~ mkdir .ssh chmod 700 .ssh touch .ssh/authorized_keys
Add the public key that you generated from the other tutorial to the
Save the file, then change the permissions of that file.
chmod 600 .ssh/authorized_keys
Return to the root user.
Now we will make the SSH daemon more secure. Let's start with the config file:
Change SSH inbound port
This step will change the port used to access the server, it is entirely optional but recommended.
Find the line with the
Port config, should look like this:
Now change this port to any port that you want. It must be greater than 1024.
Disable root ssh login
This step will disable root login through SSH, it is entirely optional but highly recommended.
Find this line:
... and change it to:
This will make the server more secure against bots that try brute force and/or common passwords with user
root and port 22.
Disable X11 forward
This step will disable X11 forwarding, don't do this if you use some remote desktop program to access to your server.
Find the X11 line:
... and it change to:
Restart SSH daemon
Now that we made the changes to secure the SSH Login, restart the SSH service:
service ssh restart
This will restart and reload the server settings.
Without disconnecting your current ssh session, open a new terminal or PuTTY window and test another SSH login.
ssh -p 4422 username@SERVER_IP_OR_DOMAIN
If everything checks out, we have successfully hardened the security of your server. Enjoy!