In this article we are going to let you know how to secure your Linux Machines in several ways to keep hacker away.

Normally when we install a Linux machines no matter is Ubuntu Or Centos, We are logging in by using command user or root user with a password.

The method of login are eventually easy for hacker to run a scripts and perform brute-force attack against login to your machines.

How do we secure our own Linux machines?

Step1: Create a Common user

Instead of using root user to login from outside world.

Login to your root

useradd security
passwd security

And set your password for the user security.

So instead of using root user to login, you can use security user to login and switch to root in localhost.

We can actually stop hacker sniffing your root user password.

Step2: Generate a set of private-key and public key

Imagine Private key is the key of your Room, and Public Key are the Lock of your room.

So we are going to install a lock in your Linux Machines, and generate a key for you to login to your linux machines, No More using password to login to your machines.

Login into security user and run below command to create your key as well.

ssh-keygen -t rsa

after the command you will saw the message like below:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/security/.ssh/id_rsa):  Enter
Created directory ‘/home/security/.ssh’. Enter
Enter passphrase (empty for no passphrase):  Key in your fresh new password for the private-key
Enter same passphrase again: Key in same passphrase again
Your identification has been saved in /home/security/.ssh/id_rsa.
Your public key has been saved in /home/security/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:ANg/h9YKq9pAwEizIN/A7KMFZUJcyx+j9jwkz9ptDVU security@linuxscriptshub
The key’s randomart image is:
+—[RSA 2048]—-+
|*B=+. |
|B=Boo. E |
|o=.o.+.o . |
|. + + B.o. |
| + = * +S |
|o . O .. |
|. . * o |
| o. o o. . |
|…. … |
+—-[SHA256]—–+

and go into the .ssh folder, and you will see the private key and public key as well.

cd .ssh
ls

id_rsa id_rsa.pub

id_rsa is a key of your room

id_rsa.pub is a lock of your room

Download the id_rsa to your local machines, and keep it privately.

We will now transform your id_rsa.pub which is the lock of your room to authorized_keys

cat id_rsa.pub >> authorized_keys
chmod 600 authorized_keys
chown security.security authorized_keys

After all these command we had done setting the permission of the key and some folder.

and now you can try to access your machines by using below command:

ssh -i id_rsa security@linuxscriptshub

Congratulation, you will successfully login to the security user if you doesn’t miss the step up there.

Now your machines is able to login by your keys.

Step3: Changing the port of SSH Login.

For freshly new machines the ssh port are using 22 tcp as well, which is all the hacker know.

Now we are going to changes the port and make it more harder for hacker access your port.

vi /etc/ssh/sshd_config

Changes This

#Port 22

To

Port 22144

Note the # have to remove if not it will fall back to the default port as well.

the port number can be changes by you randomly, you can even use some number with 5 digit, as long as dont go over 65535 then is fine. in my case i am changes to 22144.

Restart your sshd service

In Centos

systemctl restart sshd

In Ubuntu

systemctl restart ssh

After the restart, do not turn of the current terminal, open up another terminal try to access with the new port to confirm you are still able to login in.

ssh -i id_rsa security@linuxscriptshub -p22144

if your firewall is not blocking you are able to login.

if is not please add below rules to access to the machines.

In Centos

firewall-cmd --permanent --zone=public --add-port=22144/tcp
firewall-cmd --reload

If your machines with Selinux Enable, you have to run below command to allow the new ssh port.

semanage port -a -t ssh_port_t -p tcp 22144

you can check your selinux status with below command:

gentenforce

Enforcing means is ON, Disabled is Off.

If you no need Selinux at all, You can disabled it at /etc/selinux/config

Changes Enforcing to Disabled and reboot your machines.

In Ubuntu

If using UFW you have to run below command to allow access the new ssh port.

ufw allow 22144
systemctl restart ufw

Step4: Tide up your custom ssh port with only one or few ip

In Step3 we already changes the default ssh port number to our custom port, don’t think that is enough secure.

Hacker are still able to use port scanner tools to scan all your opening port that facing outside world.

And he can still know the custom port that you changes and try to brute-force on your machines.

Solution for this are, We can specific few ip address aka your personal vpn ip which is you always can be access or your home static public ip address.

We can limit access only yours ip able to access the custom ssh port number.

In Ubuntu (UFW)

ufw allow from 123.123.123.123/32 proto tcp to any port 22144

systemctl restart ufw

Only allow 123.123.123.123 to access your machines ssh port, so that port scanner are unable to scan your port anymore, because your port are only allow access by this ip address.

In CentOS (Firewalld)

firewall-cmd --permanent --zone=public --add-rich-rule='
 rule family="ipv4"
 source address="123.123.123.123/32"
 port protocol="tcp" port="22144" accept'

firewall-cmd --reload

If you guys are using iptables you can do something like below (Can use in ubuntu and Centos)

/sbin/iptables -A INPUT -s 123.123.123.123 -p tcp -m tcp --dport 22144 -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT  
/sbin/iptables -A INPUT -m state --state INVALID,NEW -j DROP

Insert rules at the end of the iptables rules.

Step5: Lock down password authentication and Root login.

We can still make it more secure on the sshd_config file

vi /etc/ssh/sshd_config

#PermitRootLogin no

Changes to

PermitRootLogin no

Remove the #

So that there is no way to let other login from outside world using your root user as well.

PasswordAuthentication yes

Changes to

PasswordAuthentication no

Remove the # in front of the setting.

Restart the sshd service on Centos

systemctl restart sshd

Restart the ssh service on Ubuntu

systemctl restart ssh

Now is more harder to login your Linux by using password and the root user.

Step5: Setting Allowed user in Sshd Config

vi /etc/ssh/sshd_config

add following line to the last of the config file

AllowUsers security user2 user3

So with this option, we are allowing the user that state on this option to ssh login to the machines.

After save and quit the file.

Restart the sshd service on Centos

systemctl restart sshd

Restart the ssh service on Ubuntu

systemctl restart ssh

You can test it out with using one user that not state in the option.

Step6: Configure SSH Login with Two Factor by Google Authenticator.

After Done all the step, We can still make it more secure by adding Google Authenticator on your SSH Login.

You can view the Tutorial here

Enjoy the Security of SSH.

Thanks For being it with us, if you found anything that we miss out.

You can Comment at below to let Our machines become more secure.

Share this to your friends if you found this article is usefull.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *