SSH (Secure Shell) is a network protocol that provides secure encrypted communication between two untrusted hosts over an insecure network. It is often used for remote access to a computer, for example, for remote administration, file transfers, and more. SSH is more secure than its predecessor Telnet, which transmitted data in plain text.
Securing SSH on a managed VPS is important for several reasons:
-
Confidentiality: SSH is used to transfer sensitive data, such as passwords, login credentials, and confidential files. By securing this protocol, you can ensure that the data being transferred is protected from prying eyes and eavesdropping.
-
Authentication: Securing SSH involves using strong authentication methods to prevent unauthorized access. This helps prevent unauthorized users from gaining access to the VPS and its resources.
-
Integrity: SSH can be vulnerable to tampering and data corruption, which can lead to data loss or corruption. Securing this protocol helps prevent this by ensuring that the data being transferred is not altered or corrupted during transmission.
-
Compliance: Many industries and organizations have strict security regulations that require secure file transfer protocols. By securing SSH, you can ensure that your VPS is in compliance with these regulations
The Risks of Unsecured SSH
Unsecured SSH can pose several risks, including:
-
Confidentiality breach: Unsecured SSH can allow attackers to intercept sensitive data being transmitted, including login credentials, confidential files, and other sensitive information. This can result in a breach of confidentiality, potentially leading to identity theft, financial loss, and other forms of harm.
-
Unauthorized access: Unsecured SSH can allow unauthorized users to access a server, potentially leading to unauthorized data access, theft, or alteration of data.
-
Data corruption: Unsecured SSH is vulnerable to tampering and data corruption, potentially leading to data loss or corruption. This can result in the loss of important files or data, or compromise the integrity of the data being transferred.
-
Brute-force attacks: Unsecured SSH servers can be vulnerable to brute-force attacks, in which attackers use automated tools to repeatedly attempt to log in to the server using a list of commonly used username and password combinations.
There have been several real-world examples of security breaches caused by unsecured SSH and FTP:
-
Capital One data breach: In 2019, Capital One suffered a data breach that exposed the personal information of over 100 million customers. The breach was caused by a misconfigured firewall that allowed an attacker to access the company's AWS cloud infrastructure using a stolen SSH key.
This real-world example highlights the importance of securing SSH, as unsecured protocols can leave companies and their customers vulnerable to serious security breaches. By securing these protocols and implementing strong security measures, organizations can minimize the risk of security breaches and protect their sensitive data.
Securing SSH on a managed VPS
Changing the default SSH port
The default SSH port is 22, but it's recommended to change it to a different, unused port to reduce the risk of brute-force attacks. Here's how to change the default SSH port on a Linux-based server:
Step 1: Open the SSH configuration file: Open the file "/etc/ssh/sshd_config" using a text editor, such as nano or vi.
Step 2: Locate the line that says "#Port 22": This line specifies the default SSH port.
Step 3: Change the default SSH port: Change the port number to a different, unused port number. For example, you can change it to port 2222.
Step 4: Save the changes: Save the changes to the "/etc/ssh/sshd_config" file and exit the text editor.
Step 5: Restart the SSH service: Restart the SSH service to apply the changes. On most systems, this can be done by running the following command:
sudo service ssh restart
Step 6: Verify the changes: Verify that the SSH port has been changed by trying to connect to the server using the new port number. For example:
ssh user@server_ip_address -p 2222
It's important to note that changing the default SSH port may cause problems for some users or applications that expect the SSH service to be listening on port 22. Before changing the default SSH port, make sure to inform all users who may need to access the server via SSH, and ensure that any firewalls or other security devices are configured to allow access to the new port.
Disabling root login over SSH
Disabling root login over SSH is a security best practice that helps to prevent unauthorized access to a server. Here's how to disable root login over SSH on a Linux-based server:
Step 1: Open the SSH configuration file: Open the file "/etc/ssh/sshd_config" using a text editor, such as nano or vi.
Step 2: Locate the line that says "PermitRootLogin yes": This line specifies whether root login is allowed over SSH.
Step 3: Change the setting: Change "PermitRootLogin yes" to "PermitRootLogin no" to disable root login over SSH.
Step 4: Save the changes: Save the changes to the "/etc/ssh/sshd_config" file and exit the text editor.
Step 5: Restart the SSH service: Restart the SSH service to apply the changes. On most systems, this can be done by running the following command:
sudo service ssh restart
After disabling root login over SSH, you can still log in to the server as the root user by first logging in as a different user with sufficient privileges, and then using the "sudo" command to gain root access. This provides an additional layer of security by requiring that all root-level actions be performed with the explicit consent of an authorized user.
Enabling key-based authentication
Key-based authentication is a more secure method of authentication than using passwords, as it eliminates the risk of password-based attacks such as brute-force attacks. Here's how to enable key-based authentication for SSH on a Linux-based server:
Step 1: Generate a public-private key pair: On the client machine, generate a public-private key pair using the "ssh-keygen" command. For example:
ssh-keygen -t rsa
Step 2: Copy the public key to the server: Copy the generated public key to the server using the "ssh-copy-id" command. For example:
ssh-copy-id user@server_ip_address
Step 3: Open the SSH configuration file: Open the file "/etc/ssh/sshd_config" using a text editor, such as nano or vi.
Step 4: Locate the line that says "PasswordAuthentication yes": This line specifies whether password authentication is allowed.
Step 5: Change the setting: Change "PasswordAuthentication yes" to "PasswordAuthentication no" to disable password authentication and allow only key-based authentication.
Step 6: Save the changes: Save the changes to the "/etc/ssh/sshd_config" file and exit the text editor.
Step 7: Restart the SSH service: Restart the SSH service to apply the changes. On most systems, this can be done by running the following command:
sudo service ssh restart
Now, when you try to log in to the server using SSH, you should be prompted to use the private key stored on the client machine, rather than a password. If the private key is successfully matched with the public key on the server, you will be granted access to the server.
Installing a firewall to restrict SSH access
Installing a firewall can be an effective way to restrict SSH access and enhance the security of a server. Here's how to install and configure a firewall to restrict SSH access on a Linux-based server:
Step 1: Install the firewall software: On most Linux systems, the iptables firewall is already installed. If it is not installed, you can install it using the package manager of your distribution. For example, on Ubuntu-based systems, you can use the following command:
sudo apt-get install iptables
Step 2: Configure the firewall rules: Use the "iptables" command to configure the firewall rules. To allow incoming SSH connections only from a specific IP address or range, you can use the following commands:
iptables -A INPUT -p tcp --dport 22 -s <allowed_ip_address_or_range> -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
Step 3: Save the firewall rules: Save the firewall rules to persist across reboots. On most systems, you can use the following command to save the firewall rules:
sudo /sbin/iptables-save
Note that firewall rules are applied in the order they are specified, so it's important to ensure that the correct order of rules is maintained. The firewall rules specified above will first allow incoming SSH connections only from the specified IP address or range, and then drop all other incoming SSH connections.
It's important to regularly review and update the firewall rules to ensure that they are effective in protecting the server and allow only authorized access.
Best practices for securing SSH on a managed VPS
Here are some best practices for securing SSH on a managed VPS:
-
Use strong passwords or passphrases for key-based authentication: Use strong passwords or passphrases when generating the private key, to ensure that the private key cannot be easily cracked.
-
Enable two-factor authentication (2FA): Two-factor authentication adds an extra layer of security by requiring the user to provide two forms of authentication, such as a password and a security token.
-
Regularly update and patch the operating system and SSH software: Regularly update and patch the operating system and SSH software to ensure that the latest security fixes are applied.
-
Monitor SSH logs: Regularly monitor SSH logs to detect and respond to any suspicious activity, such as login attempts from unauthorized IP addresses or repeated failed login attempts.
By following these best practices, you can significantly enhance the security of your managed VPS and reduce the risk of a security breach. However, it's important to regularly review and update security measures to ensure that they remain effective.