A Beginner's Guide to Securing Your Server Part 2 of 3 (with SSH access)
There's sort of an un-written rule of thumb regarding the SSH console. If a hacker gains access to an SSH prompt, it's already too late. While that of course is not entirely true, you should take every step necessary to restrict access to the SSH console. I know some of you probably have clients that use SSH, and may have even signed up with you because you offer it. However if you offer shared hosting SSH access should in my opinion never be granted to any of your users. It's just not worth the risk.
These are measures that can be taken to secure your server, with SSH access.
-
Udate OS, Apache and CPanel to the latest stable versions.
This can be done from WHM/CPanel.
-
Restrict SSH Access
To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.
SSH into server and login as root.
Note: You can download Putty by Clicking Here. It's a clean running application that will not require installation on Windows-boxes.
At command prompt type: pico /etc/ssh/sshd_config
Scroll down to the section of the file that looks like this:
#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::
Uncomment and change
#Port 22
to look like
Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)
Uncomment and change
#Protocol 2, 1
to look like
Protocol 2
Uncomment and change
#ListenAddress 0.0.0.0
to look like
ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)
Note 1: If you would like to disable direct Root Login, scroll down until you find
#PermitRootLogin yes
and uncomment it and make it look like
PermitRootLogin no
Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.
Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.
Now restart SSH
At command prompt type: /etc/rc.d/init.d/sshd restart[B]
Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.
Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.
-
Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type: pico -w /etc/xinetd.d/telnet
change disable = no to disable = yes
Save and Exit
At command prompt type: /etc/init.d/xinetd restart
-
Server e-mail everytime someone logs in as root
To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.
At command prompt type: pico .bash_profile
Scroll down to the end of the file and add the following line:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com
Save and exit.
-
Set an SSH Legal Message
To an SSH legal message, SSH into server and login as root.
At command prompt type: pico /etc/motd
Enter your message, save and exit.
Note: I use the following message...
ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.
Now everytime someone logs in as root, they will see this message... go ahead a try it.
-
Disable Shell Accounts
To disable any shell accounts hosted on your server SSH into server and login as root.
At command prompt type: locate shell.php
Also check for:
locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhostsNote: There will be several listings that will be OS/CPanel related. Examples are
/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.
-
Disable identification output for Apache
To disable the version output for proftp, SSH into server and login as root.
At command prompt type: pico /etc/httpd/conf/httpd.conf
Scroll (way) down and change the following line to
ServerSignature Off
Restart Apache
At command prompt type: /etc/rc.d/init.d/httpd restart