Securing SSH on Ubuntu 14.04

After you create a new server, there are some configuration tweaks that you should make to harden the security of your server.

Create a new user

As the root user, you have privileges to do anything that you want with the server – no restrictions. Because of this, it is better to avoid using the root user account for every task on your server. Let’s start by making a new user. Replace username with the desired user name:

adduser username

Choose a new secure password and respond to the questions accordingly (or just hit ENTER to use the default value).

Giving user root privileges

New user accounts don’t have privileges outside of their home folder and cannot run commands that will alter the server (like install, update, or upgrade). To avoid the use of the root account, we will give the user root privileges. There are two ways of doing this:

Adding user to sudo group

The easy way is to add the user to the sudo group. Replace username with the desired user name:

adduser username sudo

This will add the user to the group sudo. This group has the privilege of running the commands with sudo access.

Modifying sudoers file

The other way is to put your user in the sudoers file. If your server has multiple users with root privileges, then this approach is somewhat better because if someone messes with the sudo group, you will be still able to run commands with root privileges to work on the server.

First, run this command:

visudo

This will open the sudoers file. This file contains the definitions of groups and users who can run commands with root privileges.

root    ALL=(ALL:ALL) ALL

After this line, write your user name and grant it full root privileges. Replace username accordingly:

username    ALL=(ALL:ALL) ALL

Save and close the file (Ctrl + O and Ctrl + X in nano).

Testing your new user

To login to your new user account without logout and login, simply call:

su username

Test sudo permissions using this command:

sudo apt-get update

The shell will ask for your password. If sudo was configured properly, then your repositories should be updated. Otherwise, review the previous steps.

Now, logout from the new user:

exit

Sudo setup is complete.

Securing SSH

The next part of this guide involves securing the ssh login to the server. First, change the root password:

passwd root

Choose something hard to guess, but that you can remember.

SSH key

SSH keys are a safer way to login. If you are not interested in SSH keys, skip to the next part of the tutorial.

Use the following Vultr Doc to make an SSH key: How Do I Generate SSH Keys?

After you get your public key, login with your new user again.

su username

Now make the .ssh directory and the authorized_keys file in the home directory of that user account.

cd ~
mkdir .ssh
chmod 700 .ssh
touch .ssh/authorized_keys

Add the public key that you generated from the other tutorial to the authorized_keys file.

 nano .ssh/authorized_keys

Save the file, then change the permissions of that file.

chmod 600 .ssh/authorized_keys

Return to the root user.

exit

SSH configuration

Now we will make the SSH daemon more secure. Let’s start with the config file:

nano /etc/ssh/sshd_config

Change SSH inbound port

This step will change the port used to access the server, it is entirely optional but recommended.

Find the line with the Port config, should look like this:

Port 22

Now change this port to any port that you want. It must be greater than 1024.

Port 4422

Disable root ssh login

This step will disable root login through SSH, it is entirely optional but highly recommended.

Find this line:

PermitRootLogin yes

… and change it to:

PermitRootLogin no

This will make the server more secure against bots that try brute force and/or common passwords with user root and port 22.

Disable X11 forward

This step will disable X11 forwarding, don’t do this if you use some remote desktop program to access to your server.

Find the X11 line:

X11Forwarding yes

… and it change to:

X11Forwarding no

Restart SSH daemon

Now that we made the changes to secure the SSH Login, restart the SSH service:

service ssh restart

This will restart and reload the server settings.

Testing changes

Without disconnecting your current ssh session, open a new terminal or PuTTY window and test another SSH login.

ssh -p 4422 [email protected]_IP_OR_DOMAIN

If everything checks out, we have successfully hardened the security of your server. Enjoy!