Every time I set up a server, the very next thing I do is secure the Secure SHell Daemon (sshd).
My checklist for doing that looks something like this:
- Permit no root logins.
- SSH Protocol 2 only.
- Implement a AllowUsers list.
- Very (VERY) strong passwords for users.
- Uncommon user names that are not easy to guess.
- Use public key-based authentication instead of passwords.
Some of you may notice that I do not use a different port for SSH even though it is usually suggested and recommended. Yes, I still use port 22 for SSH on all my servers. I figure if the best computer processors can perform billions of calculations per second these days, they would not break a sweat finding the open SSH port number on a public server. So, from a security point of view, I don’t think changing the SSH port will have the desired effect. It may reduce the level of annoyance of seeing so many break-in attempts in your log file but it is no more secure than having SSH run over the default port 22… at least that’s my opinion.
If you are frequently the target of sshd brute-force attacks just because you have port 22 open, please read this document: Managing sshd Brute-force Attacks with iptables.
Strong Passwords for Users
All my passwords are over 9 characters long. All my passwords include at least:
- one or more upper case ALPHABET i.e., A – Z
- one or more lower case alphabet i.e., a – z
- one or more number i.e., 0 – 9
- one or more symbol i.e. anything else that is not either an alphabet nor a number, like %, ^, -.
Uncommon user names that are not easy to guess
None of my servers have obvious Linux user names like ‘admin’ or ‘administrator’, for example. Creating such easy-to-guess user names is simply making it easier for the hacker to do his job. Avoid using common or popular first names too. If my name is John Smith, a common and popular name, I would probably avoid using ‘john’, ‘jsmith’, or even ‘johns’ as my Linux user name.