Securing SSH – The Right way
SSH is the most vital way of connecting and managing your server remotely. A SSH is a (sshd) service running on a Linux machine, by default when you purchase a dedicated server or VPS machine in any hosting environment, you get to have a sshd service installed by default running on port 22. Its highly advised to completely apply certain changes on this service to make sure nobody is a going to make a malicious attempt onto logging/probing your server.
Today I am going to share with you some of the best tips to get yourself started, so Lets begin!
1: First thing first, Disable ROOT!
Disabling `root` is a must, if you open up a new server, you must disable the `root` user before someone else gets the access. But before we do that, we must add a new user to make sure we do not get locked off, in this case I assume you have already created a standard user. (In my example , its `ehsan`)
Lets add `ehsan` to `sudoers` group now!
For RHEL based systems run : `# sudo usermod -aG wheel ehsan`
For Debian like systems run : `# sudo adduser ehsan sudo`
Above command will add the user `ehsan` to the `sudoers` group. Now to make sure that we are into the `sudoers` group, run `id ehsan` (replace ehsan with your username obviously).
Now to disable root access:
In terminal type `nano /etc/sshd_config` and add the following at the bottom of the file:
Congrats , you have successfully disabled the root login.
2: Disable no-word Password logins
This setting makes sure that every password entered is a valid regex match of [A-Z,0-9] and other character set, open up `sshd_config` by running `nano /etc/sshd_config` and add the following line
3: Spoofing SSH port for better protection against Bots.
When a server is deployed, the default port for SSH is port 22, many bots and attackers are always looking for Vulnerablility and are actively exploiting the Port 22 on any new IP’s registered, therefore to prevent this we will change our default port to make sure we are protected.
Open up `sshd_config` and change the following line:
`Port 22` to `Port 24245`
Make sure to make appropriate changes to your firewall that you are using.