It's very common for all servers (virtual/cloud and physical) connected to the internet to be scanned and logins attempted. There are a few steps you can take to secure your SSH installation. It's important to note that it's impossible to be 100% guaranteed secure, but there are lots of steps you can take to make it almost there...
The following are in order of difficulty for you when then trying to access them. All are described in terms of an Ubuntu 16.04 instance, but should work on most other distributions too.
We have also written an update to this guide from an Ubuntu 18.04 perspective, so if you are running that version you can get updated information there.
1. Install fail2ban
This piece of software is great - it simply monitors the SSH authentication log files for failed attempts and bans connecting IP addresses that have 3 failed attempts for 10 minutes (by default). As these requests often are just sent in huge batches, it stops them after three attempts for a while, making them more likely to give up rather than wait infinite years for their attempts to succeed. There's lots of information online about fail2ban
but a simple installation is just:
sudo apt update
sudo apt install fail2ban
And that's it! If you want to tweak settings you can have a look at the files in /etc/fail2ban
.
2. Non-standard port
The simplest thing you can do is to simply configure sshd
to not listen on port 22. You do this by editing /etc/ssh/sshd_config
and changing the line:
Port 22
to be a new choice of port (some people use 2222, but because this is so common it's now often attempted along with the default one anyway):
Port 2234
After doing this you need to restart your SSH daemon with service ssh restart
.
Now when you SSH from the command line you can either specify the port with:
ssh -p 2234 root@your.ip.address.here
Or you can edit a file on your local machine called ~/.ssh/config
and put a section like:
Host your.ip.address.here
Port 2234
3. Disable Root Logins
When hackers try to brute force entry to your SSH daemon, they often try the OS's default users (ubuntu
, debian
, etc) or root
. So if you have a non-root
user with sudo permissions that you use to connect with, you can disable the root
login via SSH completely. To do this edit the /etc/ssh/sshd_config
file on the instance again and change the line:
PermitRootLogin yes
to be:
PermitRootLogin no
And again restart your ssh with service ssh restart
. NOTE: If you only have a root user on the server, you'll lose access to your instance by doing this - forcing a rebuild and 100% data loss on the instance.
4. Firewall SSH
You can use either a custom Civo firewall from your dashboard or your distributions built-in firewalling to only allow TCP connections to your SSH daemon to a specific IP address (your office's fixed IP address). This is really secure, but it doesn't help if you're on vacation and an instance has a problem. Read more about firewalling instances.
5. Port knocking
This is going to be the most hasslesome method, but is really clever. What you do is completely firewall SSH off from being accessed and setup a daemon that listens on a number of ports and when it receives a connection of them in the right order, it then opens up the firewall to SSH for the IP address that made the sequence of port connections. Let's install it and work through an example:
The first step is to setup some default rules using iptables
:
# Accept all local traffic (from the same machine)
sudo iptables -A INPUT -i lo -j ACCEPT
# Allow any already established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# If you have any other rules add them now, e.g. HTTPS:
# sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Finally drop anything that we haven't specified
sudo iptables -A INPUT -j DROP
That's locked your box down, but because of the ESTABLISHED,RELATED
item your current SSH connection won't drop (DON'T exit the connection yet now though).
Now we should make these rules exist between reboots with:
sudo apt update
sudo apt install iptables-persistent
sudo service iptables-persistent start
Now we're ready to install Knockd, which is a really nice piece of software to listen on configured ports and run commands when it receives connections in the right order:
sudo apt install knockd
Now we can configure the daemon by editing /etc/knockd.conf
[options]
UseSyslog
[openSSH]
sequence = 6001,6003,6007
seq_timeout = 5
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 6007,6003,6001
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
This is configured now so that if you knock on ports 6001, then 6003 and then 6007 in that order it will open iptables
to allow your current IP's connection. If you knock in reverse order it will close it again. We'd recommend that you not use the ports above though, pick three (or whatever) ports of your own choosing, above 1024 and less than or equal to65535. Now you've got to enable the daemon and start it. Edit the file /etc/default/knockd
and change the line:
START_KNOCKD=0
to be:
START_KNOCKD=1
And start the service with:
sudo service knockd start
Now you're ready to try it (hopefully you're doing this for the first time on a test instance):
Open a new terminal (tab) and install the knock
client (or you can use netcat
or something similar) using apt install knock
or brew install knock
(for Linux and Mac OS X respectively, a Windows client is also available).
knock your.ip.address.here 6001 6003 6007
ssh your.ip.address.here
And then you should be connected to your server. When you've finished with it, you can exit your SSH connection and knock in revers order to close it again:
knock your.ip.address.here 6007 6003 6001