In this article we are going to let you know how to secure your Linux Machines in several ways to keep hacker away.
Normally when we install a Linux machines no matter is Ubuntu Or Centos, We are logging in by using command user or root user with a password.
The method of login are eventually easy for hacker to run a scripts and perform brute-force attack against login to your machines.
How do we secure our own Linux machines?
Step1: Create a Common user
Instead of using root user to login from outside world.
Login to your root
useradd security
passwd security
And set your password for the user security.
So instead of using root user to login, you can use security user to login and switch to root in localhost.
We can actually stop hacker sniffing your root user password.
Step2: Generate a set of private-key and public key
Imagine Private key is the key of your Room, and Public Key are the Lock of your room.
So we are going to install a lock in your Linux Machines, and generate a key for you to login to your linux machines, No More using password to login to your machines.
Login into security user and run below command to create your key as well.
ssh-keygen -t rsa
after the command you will saw the message like below:
Generating public/private rsa key pair.
Enter file in which to save the key (/home/security/.ssh/id_rsa): Enter
Created directory ‘/home/security/.ssh’. Enter
Enter passphrase (empty for no passphrase): Key in your fresh new password for the private-key
Enter same passphrase again: Key in same passphrase again
Your identification has been saved in /home/security/.ssh/id_rsa.
Your public key has been saved in /home/security/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:ANg/h9YKq9pAwEizIN/A7KMFZUJcyx+j9jwkz9ptDVU security@linuxscriptshub
The key’s randomart image is:
+—[RSA 2048]—-+
|*B=+. |
|B=Boo. E |
|o=.o.+.o . |
|. + + B.o. |
| + = * +S |
|o . O .. |
|. . * o |
| o. o o. . |
|…. … |
+—-[SHA256]—–+
and go into the .ssh folder, and you will see the private key and public key as well.
cd .ssh
ls
id_rsa id_rsa.pub
id_rsa is a key of your room
id_rsa.pub is a lock of your room
Download the id_rsa to your local machines, and keep it privately.
We will now transform your id_rsa.pub which is the lock of your room to authorized_keys
cat id_rsa.pub >> authorized_keys
chmod 600 authorized_keys
chown security.security authorized_keys
After all these command we had done setting the permission of the key and some folder.
and now you can try to access your machines by using below command:
ssh -i id_rsa security@linuxscriptshub
Congratulation, you will successfully login to the security user if you doesn’t miss the step up there.
Now your machines is able to login by your keys.
Step3: Changing the port of SSH Login.
For freshly new machines the ssh port are using 22 tcp as well, which is all the hacker know.
Now we are going to changes the port and make it more harder for hacker access your port.
vi /etc/ssh/sshd_config
Changes This
#Port 22
To
Port 22144
Note the # have to remove if not it will fall back to the default port as well.
the port number can be changes by you randomly, you can even use some number with 5 digit, as long as dont go over 65535 then is fine. in my case i am changes to 22144.
Restart your sshd service
In Centos
systemctl restart sshd
In Ubuntu
systemctl restart ssh
After the restart, do not turn of the current terminal, open up another terminal try to access with the new port to confirm you are still able to login in.
ssh -i id_rsa security@linuxscriptshub -p22144
if your firewall is not blocking you are able to login.
if is not please add below rules to access to the machines.
In Centos
firewall-cmd --permanent --zone=public --add-port=22144/tcp
firewall-cmd --reload
If your machines with Selinux Enable, you have to run below command to allow the new ssh port.
semanage port -a -t ssh_port_t -p tcp 22144
you can check your selinux status with below command:
gentenforce
Enforcing means is ON, Disabled is Off.
If you no need Selinux at all, You can disabled it at /etc/selinux/config
Changes Enforcing to Disabled and reboot your machines.
In Ubuntu
If using UFW you have to run below command to allow access the new ssh port.
ufw allow 22144
systemctl restart ufw
Step4: Tide up your custom ssh port with only one or few ip
In Step3 we already changes the default ssh port number to our custom port, don’t think that is enough secure.
Hacker are still able to use port scanner tools to scan all your opening port that facing outside world.
And he can still know the custom port that you changes and try to brute-force on your machines.
Solution for this are, We can specific few ip address aka your personal vpn ip which is you always can be access or your home static public ip address.
We can limit access only yours ip able to access the custom ssh port number.
In Ubuntu (UFW)
ufw allow from 123.123.123.123/32 proto tcp to any port 22144 systemctl restart ufw
Only allow 123.123.123.123 to access your machines ssh port, so that port scanner are unable to scan your port anymore, because your port are only allow access by this ip address.
In CentOS (Firewalld)
firewall-cmd --permanent --zone=public --add-rich-rule=' rule family="ipv4" source address="123.123.123.123/32" port protocol="tcp" port="22144" accept' firewall-cmd --reload
If you guys are using iptables you can do something like below (Can use in ubuntu and Centos)
/sbin/iptables -A INPUT -s 123.123.123.123 -p tcp -m tcp --dport 22144 -j ACCEPT /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -m state --state INVALID,NEW -j DROP
Insert rules at the end of the iptables rules.
Step5: Lock down password authentication and Root login.
We can still make it more secure on the sshd_config file
vi /etc/ssh/sshd_config
#PermitRootLogin no
Changes to
PermitRootLogin no
Remove the #
So that there is no way to let other login from outside world using your root user as well.
PasswordAuthentication yes
Changes to
PasswordAuthentication no
Remove the # in front of the setting.
Restart the sshd service on Centos
systemctl restart sshd
Restart the ssh service on Ubuntu
systemctl restart ssh
Now is more harder to login your Linux by using password and the root user.
Step5: Setting Allowed user in Sshd Config
vi /etc/ssh/sshd_config
add following line to the last of the config file
AllowUsers security user2 user3
So with this option, we are allowing the user that state on this option to ssh login to the machines.
After save and quit the file.
Restart the sshd service on Centos
systemctl restart sshd
Restart the ssh service on Ubuntu
systemctl restart ssh
You can test it out with using one user that not state in the option.
Step6: Configure SSH Login with Two Factor by Google Authenticator.
After Done all the step, We can still make it more secure by adding Google Authenticator on your SSH Login.
You can view the Tutorial here
Enjoy the Security of SSH.
Thanks For being it with us, if you found anything that we miss out.
You can Comment at below to let Our machines become more secure.
Share this to your friends if you found this article is usefull.
Leave a Reply
Want to join the discussion?Feel free to contribute!