When it comes to managing a server, SSH will be our first option. And at the same time when someone wants to hack into your server, first thing he'll check will be our SSH server. Because in most case scenario SSH is the only way for someone to break into your server.
In this post I'm gonna show you how I secured down SSH on my AlmaLinux 9 server.
By default SSH is actually very secure, but not enough for servers that's open to world wide web and it's possible for someone to brute-force your SSH server and find the right password. To prevent that we're gonna tune our SSH config and move it away from the port 22, and replace it with endlessh to trap hackers. And for the case of someone finding out the right port, we're gonna install fail2ban and prevent cases of brute-force.
Before continuing I should mention that you should always backup your configurations and important stuff. Becouse thing works me may not work for you. Please read the commands you type before running and make sure.
Tuning config
With tuning our default SSH config, we're gonna change the port that ssh uses and disable things like X11, port forwarding, root login and limit the number of connections to our server.
Before doing any changes I suggest you to backup your sshd_config file. Just in case.
sudo cp --archive /etc/ssh/sshd_config /etc/ssh/sshd_config-COPY-$(date +"%Y%m%d%H%M%S")
sudo sed -i -r -e '/^#|^$/ d' /etc/ssh/sshd_configAnd add those lines to your sshd_config file.
# /etc/ssh/sshd_config
Port 2222 # Change our port to 2222 from 22.
Protocol 2 # Force connections to be made using ssh2 protocol.
AllowTcpForwarding no # Disable port forwarding.
AllowStreamLocalForwarding no # Disable local port forwarding.
GatewayPorts no # Disable port forwarding.
PermitTunnel no # Disallow using ssh tunnels.
PermitEmptyPasswords no # Prevent login attempts with no password
TCPKeepAlive no
AllowAgentForwarding no
PermitRootLogin no
ClientAliveCountMax 3 # Limit the maximum amouth of clients
MaxAuthTries 2 # Limit the amouth of password tries on single connection.We're done with our SSH config now. Even tho this setup is secure enough for a local environment, it's not enough for the world-wide web. This is why we're going to install endlessh.
Installing enlessh
Endlessh is a program that shows itself as a ssh server and locks up the connections that's made. Since we're ruuning our SSH server on port 2022, we need something at port 22 in order to hide our real SSH server from port scanners like nmap.
Since endlessh doesn't provides us any compiled binary we have to build it from source. It only takes like 10 seconds to build and install it.
Now we need to install our depencies.
sudo dnf install gcc make gitand after that clone the Github repository and run the commands I gave you down below.
git clone https://github.com/skeeto/endlessh.gitcd endlessh
make
sudo make installAfter that create the config file that endlessh will use. With the command
sudo vim /etc/endlessh/configand add these 2 lines to that file.
Port 22
Delay 10000Now we need to create the systemd service for endlessh. Creator of endlessh already created a config file for us and we're gonna use it with some tiny changes on it.
Copy the provided .service file to systemd directory.
sudo cp util/endlessh.service /etc/systemd/systemNow in order to run endlessh at the port 22 we need to run a command and do some changes on our service file.
setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlesshAfter running that command run the command down below to edit our service.
sudo vim /etc/systemd/system/endlessh.serviceIn this file we need to comment out 2 lines that starts with PrivateUsers and InaccessiblePaths. After that you need to uncomment the line that starts with AmbientCapabilities.
After that we can enable the endlessh service by using the command
sudo systemctl enable --now endlessh.serviceand after that we should done! Now you can try sshing your server without adding -p 2022 and see it just stays doing nothing. This means our fake ssh server is working just fine.
Installing Fail2Ban
Fail2Ban is the last nail of the coffin for the hacker that tries to hack into our server by brute-forcing our hidden ssh server. It monitors the logs of ssh and when the there are too many tries from the same adress, it blocks the connections from that address for 10 minutes by default to secure our server.
Unlike endlessh fail2ban is a common package and can be installed on our system using dnf package manager.
sudo dnf install fail2ban -yIf fails to find package, than try to install package epel-release first and try again.
After that change your directory to /etc/fail2ban where fail2ban stores it's config files. Now we can create our config file with the following content.
sudo vim jail.local[sshd]
enabled = true
port = 2022
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
bantime = 3600
ignoreip = 127.0.0.1After that restart the fail2ban service and verify fail2ban config with commands below.
sudo systemctl restart fail2ban
sudo fail2ban-client status sshdYou should get an output like this
sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 4
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 285.287.282.256Of course while typing that tutorial I tried to brute-force my own server and got my IP blacklisted, of course I changed it I'm not gonna leak my own IP address lol.
And this was it. I hope it helps you to protect your server from attackers online. If you have any questions or suggestions you can always reply this post via Email or Mastodon. Thanks for checking out!
Reply via E-Mail
Thank You!
18.04.2024 - 48/100