Ensuring secure access to Production Linux Servers

by jagbir on August 22, 2010

I was amazed to hear from my friend that one of their server got hacked and reason may be that their part-time admin set password of root user as ‘admin’. Wow!! can’t believe it! They dont have right to cry about security attacks as they themselves keep their door opens :P

I’ve suggested them some points as per described below for ensuring secure access to servers. They have 5-6 Linux servers. This is obviously may not be the best way and I’m as always appreciate if you can give your suggestion in comments. My approach is that from 6 servers, we will be able to login only in 2 servers from remote through key based access and from these 2 server, we can access remaining. Here’s what we did:

1. Disable root access
Completely disable root login access from remote. Period. Open /etc/ssh/sshd_config and add/remove comment from this line:

# vi /etc/ssh/sshd_config
PermitRootLogin no

2. Login only through non-root user
Create non-root user and create public/private key pair for it:

$ adduser loginu

login to ‘loginu’ user created above, or if you are in root, just su:

# su loginu
$ ssh-keygen -t dsa

Enter details while generating keys, enter good passphares and always remember it. Now you can go ahead and disable password based access completely so user can only login by using keys but this may be too restrictive or problematic for them if they forget passphares etc. if you want to go ahead, make sure these statements are there in /etc/ssh/sshd_config file:

$ exit
# vi /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

copy the key you created earlier (there should be two files in ~loginu/.ssh/ directory: id_dsa, id_dsa.pub. so copy id_dsa) to your pc so from next time you can use this key to login into the server.

Just make sure you are able to login through ‘loginu’ user before applying these ssh settings. Jump to terminal in your pc and try to login with key:

$ ssh -i id_dsa loginu@your.server.ip

It will ask for passpahres and after supplying it you should be able to login into the server. Please make note that this is very confidential key and store it in good place/directory. Alternatively you can also generate keys in your own pc and store them at server to facilitate login. But if you want flexibility to have only one key (like carry it in your usb stick) and be able to login with it, I found this approach good to use server keys instead of pc keys.

3. (Optional) Restrict login by IPs
Now come back in server. You can further strengthen security by allowing only select IPs to log in:

# vi /etc/ssh/sshd_config
AllowUsers loginu@aa.aa.aa.aa loginu@bb.bb.bb.bb loginu@cc.cc.cc.cc

Here replace aa/bb/cc with actual IP addresses from where you want to allow access.

Going ahead, optionally, You can also change port for ssh from default 22 to other by using this guide but as I think we are only allowing access through keys and from select remote places only, this you may skip.

Reload sshd daemon to apply settings which you have set in /etc/ssh/sshd_config by:

# service sshd reload

Without closing current login session, try to login again from other terminal to check you are able to login into the server.

4. Secure other servers
As mentioned earlier, I preferred to treat first 2 server as ‘login’ server in which we can login from anywhere using user ‘loginu’ with key and then can login to other servers. So effectively other servers would not allow direct access from remote. Jump to server 3-6 and set following:

# vi /etc/ssh/sshd_config
AllowUsers loginu@aa.aa.aa.aa root@aa.aa.aa.aa loginu@bb.bb.bb. root@bb.bb.bb.bb

here aa.aa/bb.bb indicates IP address of server #1 and #2 (login servers). So in this (#3) server we can login from those server(s) only. After making changes, reload ssh daemon to apply settings in all of these servers:

# service sshd reload

5. Other services
I suggested to disable every service that we don’t need in servers. That’s the best approach to secure them :P. These servers has role of web servers and rsync process is there to sync files. In that case, created another non-root user:

# adduser rsyncuser

generate keys (you can generate passphares less keys) for this user as well. Create same user in all other servers and put first server’s (from where rsync initiate) keys in them. Dont allow this user to login from remote but only from server where rsync initiate. I’ve documented rsync process here, if you want to go ahead and configure it. Similarly, if you need services like FTP then allow this only from selected IP address (by configuring /etc/hosts.allow) or firewall etc.

6. Configure DenyHosts
To further prevent attacks and block any IP address from which several failed login attempt originated, you should configure DenyHosts script ( I have documented howto on DenyHosts here) or equivalent.

Other Most Read Articles:
* Top 5 Linux commands for Administrators.
* Install and configure Munin/Monitor for monitoring.
* Change time zone in your Linux machine quickly.
* Detect directory changes in Linux.
* Script to backup essential log files.

  • http://www.merchantcircle.com/business/Kids.R.Our.Future.480-632-2353 Ned Tatman

    interesting site.

    • http://www.jagbir.info jagbir

      thanks Ned :)

  • Pingback: ubuntu new release

Previous post:

Next post: