SSH Security Options


#1

Security Concepts for Secure Shell

When accessing your server using Secure Shell (SSH) there are a few authentication methods to allow access to through SSH protocol. By default, the authentication method will be to allow root user or jailed user access (as permitted by the host.) This method, however, comes with downsides. It is a very common penetrative method to target Linux systems using SSH access over port 22 and root user authentication.

A few ways to address these issues are listed below:

  • Modify the SSH Port
  • Restrict SSH by IP address

Note: Or, depending on the level of security that you need, you can implement a combination of these of methods.

Modify The SSH Port

In our default server configurations, we place the server behind a perimeter firewall to restrict ports and connections on a higher level. If you have elected to be placed in our “Relaxed Firewall” group then you will be able to select any port that you desire (and is not already in use for another service) for SSH access. If you have elected to be in our standard firewall groups then you will only have access to alt port 4739 for SSH. As we proceed, this is the port that will be utilized for the setup.

To configure your system to use alternative port 4739 for SSH, please follow the steps below:

Firewall (CSF)

  1. Login to your server through WHM.

  2. Search for “Firewall” and select the ConfigServer Security&Firewall.

  3. Next, select the Firewall Configuration* option.

  4. Edit the TCP_IN line, adding the alternate SSH port 4739, being careful to have the comma before and after the port number.

Please Note: Pay close attention to the formatting of the current entries in this line. Syntax Errors will result in your VPS firewall failing to restart.

  1. Click the ‘Change’ button at the bottom to save the port.

SSH Configuration

  1. Access your VPS through SSH, which will be port 22 still.

  2. Edit the /etc/ssh/sshd_config file.

  3. Change the line ‘Port 22’ to ‘Port 4739’.

  4. Save your changes.

  5. Next, you will need to restart your SSH service. Please run the following command:

    `service sshd restart`
    

    Please Note: Do not exit your SSH session until you have verified that you are able to connect using the alt port 4739. If you do close the existing session and there is an error with the sshd_config file or the firewall, you will not be able to connect to your VPS through SSH.

  6. If you encounter a connection error with the alt port connection attempt, open the ssh_config file and look for configuration errors, also be sure to ensure that your firewall has the port 4739 listed in the TCP_IN line.

Restrict SSH by IP Address

Another method that is very effective towards limiting SSH access is to restrict the access by IP address. There are a few ways to accomplish this in our cPanel/Linux server environments.

  • WHM >> Security Center >> Host Access Control
  • AllowUsers /etc/ssh/sshd_config file modification
  • Manual /etc/hosts.allow file modification

Host Access Control

The Host Access Control features allow WHM users to modify the /etc/hosts.allow and /etc/hosts.deny files with relative ease. There are a number of services can that be addressed in this manner.

  • cPaneld
  • whostmgrd
  • webmaild
  • cpdavd
  • ftpd
  • sshd - the one we are addressing
  • smtp
  • pop3
  • imap

To modify your Host Access Control list, please follow the steps below:

  1. Login to your server through WHM.

  2. Navigate to the ‘Host Access Control’ feature by searching for it or selecting ‘Security Center >> Host Access Control’ from the WHM home.

  3. Next, enter the desired Daemon (sshd) in the ‘Daemon’ column.

  4. Then, enter your public facing IP address or range in the ‘Access List’ column.

  5. Then in the ‘Action’ column, enter either allow or deny for that IP address or range.

    Please Note: While the ‘Comment’ column is optional, strongly recommend to make use of this field to keep your list organized.

  6. Finally, select the blue Save Host Access List to implement the restrictions.

Please Note: To keep all other accesses to SSH denied you will need to create a deny rule with the Access List option of “ALL.” Make sure that this deny rule is at the bottom of your list; otherwise, it will be processed before your allow list.

Example Host Access Control List

Daemon Access List Action Comment
sshd 1.2.3.4 Allow Allow My Public IP
sshd ALL Deny Deny all other IPs

AllowUsers sshd_config File

Another method is to modify the configuration of the SSH process itself by modifying the AllowUsers value in the sshd_config. This parameter can be adjusted to restrict not only the user but when that user is being used what source IP address is allowed to make that connection.

To modify the AllowUsers parameter in the sshd_config file, please follow the steps below:

  1. Login to your server through SSH.

  2. Navigate and edit the /etc/ssh/sshd_config file.

  3. At the bottom of the file, add the following parameter (where the 1.2.3.4 value would be replaced by your public facing IP address)

    AllowUsers [email protected]

  4. Save the file and then restart the ssh service.

    service ssh restart

Please Note: Do not exit your SSH session until you have verified that you are able to connect using the host designation. If you do close the existing session and there is an error with the sshd_config file configuration, you will not be able to connect to your VPS.