Jump to content
Sign in to follow this  
Shogun

Basic SSH Security

Recommended Posts

Good morning,

 

Today I will show you how to make your ssh safer easily while avoiding having to type your login and password every time you want to work on your server.

 

Part 1. Logging in with a SSH Key

 

For starters, we will create a new user for our metin2 server.

pw useradd metin2 -m -g wheel

Next, we will move our server files to /home/metin2 and give our new user ownership of the files

cd /home
chown -R metin2:wheel metin2/

Now we are going to create a ssh key. In short, this is a file you save to your PC and replaces your password for login.

su metin2
ssh-keygen

Press enter (leave defaults) and move to the .ssh folder that has been created

cd metin2/.ssh
mv id_rsa.pub authorized_keys
cat id_rsa

Copy the output of this last command (including the comments) with ctrl+C and save it into a text file. This is your private key; to convert it to a format that putty and Filezilla can understand, you can use puttygen.

 

Download and open the tool and click on Load. Select "All files" on the File dialog and open the text file you saved previously, then click on "Save Private Key" to create the ppk file.

 

Finally, we are going to try to login with our new key. Open putty and load your server's settings, then go to the Connection > Data tab and in autologin username enter metin2 (or whatever you called your server's user). Next open Connection > SSH > Auth and load your ppk file.

 

Finally, return to Session and save your new settings, then Open to verify that you are able to login automatically with your new user and key, and use the su command to gain root privileges.

 

Part 2: Securing SSH

 

Once this is done, we can proceed to disable root login and password authentication in /etc/ssh/sshd_config, and restart the ssh server with service sshd restart. While you are editing the ssh config, it's also a good idea to change the ssh port to a different one, preferably an unused, high number port but don't forget to open this port in your firewall or you will lock yourself out!

 

 

Part 3. Security good practices

 

Once you do all of this, the only way to access your server is through the private ppk file. Therefore, make sure to backup it in a safe place such as USB stick or external drive!

 

Always run your server startup script as the metin2 user.

 

If you need root privileges, login with the metin2 user and then use su. In the event that someone gained shell access through some kind of backdoor or exploit, he won't have full access to the machine.

  • Love 10

Share this post


Link to post

Very useful tutorial! But it's not enough to protect server against third party unprivileged persons. Good solution is hide all "external" service such as ssh/mysql/nfs server and client behind vpn , use good website scripts (many server been the pnwed by vulnerabilities in sites) strive to limitation host in mysql users and not privilege users even root to 'FILE' privilege'

By 'FILE' privilege , vulnerability homepage script and badly chmoded directories as 'cache' 'images'  you can use this as LFI/RFI vuln via load_file() and into outfile statement

  • Love 1

Share this post


Link to post

A little add :

cd /home/metin2
chmod 750 .ssh

then

chmod 600 .ssh/authorized_keys
chmod 600 .ssh/id_rsa

If you don`t do this step the server will refuse your key and give you this error:

SSH Authentication Refused: Bad Ownership or Modes for Directory

Cheers :P

Share this post


Link to post

A little add :

cd /home/metin2
chmod 750 .ssh

then

chmod 600 .ssh/authorized_keys
chmod 600 .ssh/id_rsa

If you don`t do this step the server will refuse your key and give you this error:

SSH Authentication Refused: Bad Ownership or Modes for Directory

Cheers :P

 

As far as I know, those permissions are already set by default, at least on FreeBSD 9 and 10

Share this post


Link to post

I have FreeBSD 9.1-p12 and i have to set those permission for the key to work.

Share this post


Link to post

Maybe you were making keys for another user with root?

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.