# Locking Down SSHd On your Cloud - Remote Server - Ubuntu or Debian: # SSH or Login to console.... If you are new to Linux guides, you type in the part after the "$", however this guide is for more experienced Linux Admin users. Beware:: This toturial is for a NEW Server setups with nothing on them yet! It is possible to lock your self out of the server if done wrong! # If not root, yet, then become it... Remote-SERVER$ sudo -i For a website setup, we will create some new User Accounts: Now lets add our Web Dev + Admin? / Admin User, change the names to a hard to guess lastname! You'll want to limit the number of users and grant only permissions needed for job title... Be sure to substitute DevGuy with a good account name, throughtout this tutorial! Remote-SERVER$ adduser DevGuy Now make them a member of the group www-data: Remote-SERVER$ usermod -aG www-data DevGuy Now give them sudoers power, ONLY, if they need it?! Are they in DevOPs and need to install things as ROOT??: Remote-SERVER$ usermod -aG sudo DevGuy --=-=-- Now make your admin guy, be sure to make up a secure username in the next steps: Be sure to substitute AdminGuy with a good account name, throughtout this tutorial! Remote-SERVER$ adduser AdminGUY Now give them sudoers group membership power: Remote-SERVER$ usermod -aG sudo AdminGuy --=-=-- You may add a few more as needed...... Becareful with the above commands...don't give away too much Power....if so remove the un-needed groups: To see what groups a user belongs to do, groups theUserNameHere: Remote-SERVER$ groups DevGuy If you meant to give www-data group membership ONLY, you may revoke "sudo" group membership at any time, as root, for example: deluser DevGuy sudo OR gpasswd -d DevGuy sudo ======Onwards then ======= Lets make a nice login Security Banner: Remote-SERVER$ nano /etc/banner.txt *************************************************************************** NOTICE TO USERS This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. **************************************************************************** Press ctrl+x to Save and Exit. Y to save. Enter to the default filename... On your Local Developer's Computer: # If you have no SSH Keys, yet then do the following to make one: # Note: it will be a extra layer of security to add a password to your key file, though annoying... # it would be worth it in case someone gains access to copy your keys! Dev-Local-PC$ mkdir ~/.ssh Dev-Local-PC$ chmod 700 ~/.ssh Dev-Local-PC$ ssh-keygen -f ~/.ssh/DevGuy -t rsa -b 4096 Dev-Local-PC$ mv ~/.ssh/DevGuy ~/.ssh/DevGuy.private # How to copy your Key to the Server: Dev-Local-PC$ ssh-copy-id -i ~/.ssh/DevGuy.pub DevGuy@ServerHostIPHere ======================= # If ssh-copy-id failed....only then do: Dev-Local-PC$ scp ~/.ssh/DevGuy.pub root@ServerHostIPHere:/root/DevGuy.pub Dev-Local-PC$ ssh root@ServerHostIPHere # Now on the server as root, we'll fix the ssh-copy... Remote-SERVER$ mkdir /home/DevGuy/.ssh Remote-SERVER$ chown DevGuy:DevGuy /home/DevGuy/.ssh Remote-SERVER$ chmod 700 /home/DevGuy/.ssh Remote-SERVER$ mv /root/DevGuy.pub /home/DevGuy/.ssh/authorized_keys Remote-SERVER$ chown DevGuy:DevGuy /home/DevGuy/.ssh/authorized_keys Remote-SERVER$ chmod 600 /home/DevGuy/.ssh/authorized_keys Remote-SERVER$ exit ======================= # How to make it easier to connect to this Server: Dev-Local-PC$ nano ~/.ssh/config Add to the file: Host mySERVERNameHere HostName ServerHostIPHere Port 2992 User DevGuy IdentityFile ~/.ssh/DevGuy.private You may add more existing servers by repeating the above block of code and changing the Host(s)/HostName(s)/Port(s).... For the PC to be able to use these new entries for ssh config file, you'll need to modify sshd on the server, and the currently running shell must be exited or logged off of, first. We'll modify sshd on the server in a few moments... Dev-Local-PC$ exit That's it for the dev.... NOTE: It is criticial, that no one else get a hold of your private keys!!! Gaurd your private keys, if they are on a USB stick encrypt it with LUKS - (Linux Unified Key Setup), or something and keep it in a safe box...If anyone gets a hold of it they will be root or www-data on your server/servers!!! Make sure that your ssh folder and files belong to the owner IE: $ chown DevGuy:DevGuy ~/.ssh In other words, not belonging to the Root Account or other account name.... In fact if they do not have proper permissions you will be unable to connect to the server until that is fixed. Your SSH folder, must have read/write/execute for just the owner! EX: $ chmod 700 ~/.ssh Your private key should be read/write only for the owner. EX: $ chmod 600 ~/.ssh/DevGuy.private Your public keys are fine to place on any server/pc.... How about setting up the admin's computer: On your Local Admin's Computer: # If you have no SSH Keys, yet then do the following to make one: Admin-PC$ mkdir ~/.ssh Admin-PC$ chmod 700 ~/.ssh Admin-PC$ ssh-keygen -f ~/.ssh/AdminGuy -t rsa -b 4096 Admin-PC$ mv ~/.ssh/AdminGuy ~/.ssh/AdminGuy.private # How to copy your Key to the Server: Admin-PC$ ssh-copy-id -i ~/.ssh/AdminGuy.pub AdminGuy@ServerHostIPHere # How to make it easier to connect to this Server: Admin-PC$ nano ~/.ssh/config Host mySERVERNameHere HostName ServerHostIPHere Port 2992 User AdminGuy IdentityFile ~/.ssh/AdminGuy.private Admin-PC$ exit Back on the remote Server still as ROOT user, its time to increase or lock down security of SSHd: - If on Ubuntu and no longer need the original sshd config, then Rename it: - Remote-SERVER$ mv /etc/ssh/sshd_config /etc/ssh/sshd_config.orig Remote-SERVER$ nano /etc/ssh/sshd_config Insert the following for Ubuntu, or just modify things in red: # What ports, IPs and protocols we listen for, Don't use the default of 22! it will get blasted by attackers. Port 2992 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin no StrictModes yes # ---- To Block all but the following two users accounts ---- # -- Be sure to rename these accounts with the real accounts you want to use! -- # -- Make sure these accounts EXIST as typed!! as they are the only way in -- # AllowUsers AdminGUY, DevGUY ClientAliveInterval 300 ClientAliveCountMax 0 RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication no # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding no X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes AllowTcpForwarding no AllowStreamLocalForwarding no GatewayPorts no PermitTunnel no #UseLogin no #MaxStartups 10:30:60 Banner /etc/banner.txt # Allow client to pass locale environment variables AcceptEnv LANG LC_* # Allow SFTP ACCESS Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes Press ctrl+x to Save and Exit. Y to save. Enter to the default filename... Remote-SERVER$ sudo service ssh restart ## Install Fail2Ban.... ### Setup a firewall: Allow Limited SSH Access: Remote-SERVER$ sudo ufw limit 2992/tcp Allow Web site, if Desired?!: Remote-SERVER$ sudo ufw allow 80/tcp Remote-SERVER$ sudo ufw allow 443/tcp To Review, firewall ports open....: Remote-SERVER$ sudo ufw status numbered If all ports needed are set for your service: Remote-SERVER$ sudo ufw enable Install web site, apache2 or nginx or other.... if desired. On your Local Developer or Admin Computer, its now easy to safely connect to your remote Server: on-ANY-Local-PC-Setup-with-config-file-for-ssh-client$ ssh mySERVERNameHere