Basic SSH Security

[Shogun 4454]

Good morning,

 

Today I will show you how to make your ssh safer easily while avoiding having to type your login and password every time you want to work on your server.

 

Part 1. Logging in with a SSH Key

 

For starters, we will create a new user for our metin2 server.

pw useradd metin2 -m -g wheel

Next, we will move our server files to /home/metin2 and give our new user ownership of the files

cd /home
chown -R metin2:wheel metin2/

Now we are going to create a ssh key. In short, this is a file you save to your PC and replaces your password for login.

su metin2
ssh-keygen

Press enter (leave defaults) and move to the .ssh folder that has been created

cd metin2/.ssh
mv id_rsa.pub authorized_keys
cat id_rsa

Copy the output of this last command (including the comments) with ctrl+C and save it into a text file. This is your private key; to convert it to a format that putty and Filezilla can understand, you can use puttygen.

 

Download and open the tool and click on Load. Select "All files" on the File dialog and open the text file you saved previously, then click on "Save Private Key" to create the ppk file.

 

Finally, we are going to try to login with our new key. Open putty and load your server's settings, then go to the Connection > Data tab and in autologin username enter metin2 (or whatever you called your server's user). Next open Connection > SSH > Auth and load your ppk file.

 

Finally, return to Session and save your new settings, then Open to verify that you are able to login automatically with your new user and key, and use the su command to gain root privileges.

 

Part 2: Securing SSH

 

Once this is done, we can proceed to disable root login and password authentication in /etc/ssh/sshd_config, and restart the ssh server with service sshd restart. While you are editing the ssh config, it's also a good idea to change the ssh port to a different one, preferably an unused, high number port but don't forget to open this port in your firewall or you will lock yourself out!

 

 

Part 3. Security good practices

 

Once you do all of this, the only way to access your server is through the private ppk file. Therefore, make sure to backup it in a safe place such as USB stick or external drive!

 

Always run your server startup script as the metin2 user.

 

If you need root privileges, login with the metin2 user and then use su. In the event that someone gained shell access through some kind of backdoor or exploit, he won't have full access to the machine.

[IceShiva 144]

Very useful tutorial! But it's not enough to protect server against third party unprivileged persons. Good solution is hide all "external" service such as ssh/mysql/nfs server and client behind vpn , use good website scripts (many server been the pnwed by vulnerabilities in sites) strive to limitation host in mysql users and not privilege users even root to 'FILE' privilege'

By 'FILE' privilege , vulnerability homepage script and badly chmoded directories as 'cache' 'images'  you can use this as LFI/RFI vuln via load_file() and into outfile statement

[M.Sorin 275]

A little add :

cd /home/metin2
chmod 750 .ssh

then

chmod 600 .ssh/authorized_keys
chmod 600 .ssh/id_rsa

If you don`t do this step the server will refuse your key and give you this error:

SSH Authentication Refused: Bad Ownership or Modes for Directory

Cheers

[Shogun 4454]

A little add :

cd /home/metin2
chmod 750 .ssh

then

chmod 600 .ssh/authorized_keys
chmod 600 .ssh/id_rsa

If you don`t do this step the server will refuse your key and give you this error:

SSH Authentication Refused: Bad Ownership or Modes for Directory

Cheers

 

As far as I know, those permissions are already set by default, at least on FreeBSD 9 and 10

[M.Sorin 275]

I have FreeBSD 9.1-p12 and i have to set those permission for the key to work.

[Shogun 4454]

Maybe you were making keys for another user with root?