If your server (or computer) is directly exposed to the internet you’ll want to do a couple things to secure SSH access on a fresh CentOS / Red Hat based install. This will go towards guarding against brute force password attacks which are, at best, a nuisance.
There’s three fairly simple things that need to be done here:
1. Add a new user with permission to elevate to root/su (super user) status.
2. Change the port SSH listens on to something other than port 22. Port 22 is the default for every SSH install and what attackers always go for – changing the port adds a measure of security by obscurity.
3. Disable root SSH login, and from now on use an unprivileged user to log in over SSH, and then elevate to su if need be.
Before you start – a word of warning: don’t lock your keys in the car.
If you go ahead and disallow root SSH access on a server you can’t physically get to (like VPS hosting), and then log out without setting up your unprivileged user properly – you will lock yourself out.
If you change the SSH port from 22 to one that is either blocked by an iptable firewall on your server, or by a NAT at some point between you and the server, and then log out – you will lock yourself out.
How not to lock yourself out: We’ll follow a very safe method to make this eventuality near impossible. We’ll make all changes from an SSH terminal session logged in as root which you keep open. When you make configuration changes, open a second SSH terminal session and test them there without logging out of your original root session. That way if something goes wrong, you can change things back in your original session. This means having two putty windows open or two terminals open if you’re working from a Linux or Mac machine – one to stay logged in as root, and another to test the new setup as you go along.
Step 1 – Add a new user (substitute the example username of newguy and password of abc123 with those of your choosing)
1. SSH to your server and log in as root
2. At the command prompt enter useradd newguy
3. Enter passwd newguy then type the password for the account twice when prompted: abc123 in this example (you’ll get a BAD PASSWORD warning if you use that, because it is a weak password)
Step 1a – Add your new user “newguy” to the wheel user group so the account can elevate to root with su
Why is the group called wheel?
The guy who wrote the group functionality was both a buddhist and a Journey fan. He was listening to “Wheel in the Sky” while trying to figure out a way to give more people administrative rights without giving too much access. In a fit of enlightment, he came up with a special group for administrators. Since they were the ones who kept things turning, it only seemed appropriate that “wheel” be immortalized in the /etc/group file. – Jason C. Wells
Not really, “wheel” is derived from the slang term “big wheel” which was popular mid last century and refers to somebody with power. The “wheel” user group has been around pretty much as long as Unix.
1. So to put newguy in the wheel group, open the /etc/group file for editing by entering vim /etc/group
You can also use another text editor like nano /etc/group or pico if that floats your boat.
2. Find the line that starts with wheel, on a CentOS install that line will look like: wheel:x:10:root
Change that line to wheel:x:10:root,newguy
so you’ve just appended the username you’ve created before to the line for group wheel – putting that user in the wheel group so they can use su.
3. Save (write out) that file and quit back to the prompt. Keep your root terminal open and open a new one to see if newguy exists and can use su to become root. Which will look like:
login: newguy
password: abc123
su
password: yourrootpassword
The prompt should now look something like [root@localhost newguy]# which means newguy acting as root on the machine called localhost.
4.To go back to being newguy again: Enter exit
Step 2 – Change the SSH Port away from 22, so automated bad guys will find nothing if they try to connect to your server on the default SSH port
1. Go back to your original, root logged in terminal.
2. Open sshd_config for editing: vim /etc/ssh/sshd_config
3. Find the line at the top of the file #Port 22 and uncomment it by removing the # in front of it
4. Add another line underneath it Port 1222 (or some other port you want to use) we’re telling SSH to listen on both port 22 and the new port 1222 at the same time in case 1222 is blocked.
5. Save (write out) the file and quit the editor
6. Restart the SSH daemon so the config changes will take effect:
Enter /etc/init.d/sshd restart
7. Leave your current terminal session open and start another one in a new window, this time try and connect on port 1222 (or your new port number)
If this works ok and port 1222 is open you will see a log in prompt.
If you see nothing, or it otherwise won’t connect go to step 2a – iptables may not be allowing the connection.
Otherwise:
Log in as newguy, elevate him to root with su again, then exit and close the session. Port 1222 is working and you can log in with your new user and elevate them to root with su which is exactly what we want to be doing. Go straight to step 3 if you don’t have IP tables installed and don’t want to do any further hardening.
Step 2a – Open your new SSH port in iptables
1. See if you have iptables installed:
Enter: rpm -qa | grep iptables
If iptables is installed, this will output something like:
iptables-1.3-5.5.3.el5_4.1
iptables-ipv6-1.3.5-5.3.el5_4.1
If iptables isn’t installed, the port you’ve chosen is being blocked by your local firewall or an external firewall in front of your server. You’ll have to look into this on your own and contact the 3rd party if they are housing your server. You can also just leave it on Port 22 but expect some login attempts occasionally – go to step 3.
Step 2b – iptables is installed and the new SSH port needs to be opened:
1. Open your iptables config file: vim /etc/sysconfig/iptables
2. Before the line that states COMMIT add a line:
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 1222 -j ACCEPT
3. Save (write out) the file and quit
4. Restart iptables with /etc/init.d/iptables restart
Go back and try step 2.7 again with your second ssh connection to port 1222 as newguy
Step 3 - Disable root SSH login and stop SSH listening on Port 22
First, ensure you’ve established that the new user, e.g. newguy has been created, is a member of the group wheel, can use su to become root and you can connect to SSH on the new port you’ve chosen (example was port was 1222).
1. Go back and edit sshd_config with: vim /etc/ssh/sshd_config
2. Find the line at the top of the file with Port 22 and comment it out again by changing it to #Port 22
3. Find the line #PermitRootLogin yes and uncomment it by removing the #, and change it to PermitRootLogin no
4. Save (write out) the file and quit vim
5. Restart SSH with: /etc/init.d/sshd restart
To test it out try and connect via SSH to port 22, which shouldn’t work, then try and log in as root connecting to your new SSH port, which shouldn’t work either.
You now have a hardened SSH setup. From now on if anything needs to be done as root: connect to SSH on the new port you set, with the new username, then use su and the root password to elevate to root.
This means for someone to gain root access to this machine they will need to know which port SSH is listening on, which could be any of thousands, which username is part of the wheel group, which could be anything, the password for that user AND the password for the root account. Much more difficult.
This isn’t an exhaustive method, keep in mind there are a whole bunch of other ways you can make a CentOS machine super secure – and that extends to securing each application/service that’s run on it.