I’ve suggested them some points as per described below for ensuring secure access to servers. They have 5-6 Linux servers. This is obviously may not be the best way and I’m as always appreciate if you can give your suggestion in comments. My approach is that from 6 servers, we will be able to login only in 2 servers from remote through key based access and from these 2 server, we can access remaining. Here’s what we did:

1. Disable root access
Completely disable root login access from remote. Period. Open /etc/ssh/sshd_config and add/remove comment from this line:

# vi /etc/ssh/sshd_config

PermitRootLogin no

2. Login only through non-root user
Create non-root user and create public/private key pair for it:

$ adduser loginu

login to ‘loginu’ user created above, or if you are in root, just su:

# su loginu
$ ssh-keygen -t dsa

Enter details while generating keys, enter good passphares and always remember it. Now you can go ahead and disable password based access completely so user can only login by using keys but this may be too restrictive or problematic for them if they forget passphares etc. if you want to go ahead, make sure these statements are there in /etc/ssh/sshd_config file:

$ exit
# vi /etc/ssh/sshd_config

PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

copy the key you created earlier (there should be two files in ~loginu/.ssh/ directory: id_dsa, id_dsa.pub. so copy id_dsa) to your pc so from next time you can use this key to login into the server.

Just make sure you are able to login through ‘loginu’ user before applying these ssh settings. Jump to terminal in your pc and try to login with key:

$ ssh -i id_dsa loginu@your.server.ip

It will ask for passpahres and after supplying it you should be able to login into the server. Please make note that this is very confidential key and store it in good place/directory. Alternatively you can also generate keys in your own pc and store them at server to facilitate login. But if you want flexibility to have only one key (like carry it in your usb stick) and be able to login with it, I found this approach good to use server keys instead of pc keys.

3. (Optional) Restrict login by IPs
Now come back in server. You can further strengthen security by allowing only select IPs to log in:

# vi /etc/ssh/sshd_config

AllowUsers loginu@aa.aa.aa.aa loginu@bb.bb.bb.bb loginu@cc.cc.cc.cc

Here replace aa/bb/cc with actual IP addresses from where you want to allow access.

Going ahead, optionally, You can also change port for ssh from default 22 to other by using this guide but as I think we are only allowing access through keys and from select remote places only, this you may skip.

Reload sshd daemon to apply settings which you have set in /etc/ssh/sshd_config by:

# service sshd reload

Without closing current login session, try to login again from other terminal to check you are able to login into the server.

4. Secure other servers
As mentioned earlier, I preferred to treat first 2 server as ‘login’ server in which we can login from anywhere using user ‘loginu’ with key and then can login to other servers. So effectively other servers would not allow direct access from remote. Jump to server 3-6 and set following:

# vi /etc/ssh/sshd_config

AllowUsers loginu@aa.aa.aa.aa root@aa.aa.aa.aa loginu@bb.bb.bb. root@bb.bb.bb.bb

here aa.aa/bb.bb indicates IP address of server #1 and #2 (login servers). So in this (#3) server we can login from those server(s) only. After making changes, reload ssh daemon to apply settings in all of these servers:

# service sshd reload

5. Other services
I suggested to disable every service that we don’t need in servers. That’s the best approach to secure them . These servers has role of web servers and rsync process is there to sync files. In that case, created another non-root user:

# adduser rsyncuser

generate keys (you can generate passphares less keys) for this user as well. Create same user in all other servers and put first server’s (from where rsync initiate) keys in them. Dont allow this user to login from remote but only from server where rsync initiate. I’ve documented rsync process here, if you want to go ahead and configure it. Similarly, if you need services like FTP then allow this only from selected IP address (by configuring /etc/hosts.allow) or firewall etc.

6. Configure DenyHosts
To further prevent attacks and block any IP address from which several failed login attempt originated, you should configure DenyHosts script ( I have documented howto on DenyHosts here) or equivalent.

Other Most Read Articles:
* Top 5 Linux commands for Administrators.
* Install and configure Munin/Monitor for monitoring.
* Change time zone in your Linux machine quickly.
* Detect directory changes in Linux.
* Script to backup essential log files.

To save the activity/history of any user (including root), you need to open the user’s .bash_profile from his home directory.

Here, for instance, I would like to record all commands in a file when a user login as root or su to root. History will be stored in a file with name as DateTimeIPAddress from where user came.

Step 1. Go to root’s home:

$ cd ~

Step 2. You can make a hidden directory so that all history files will be stored there:

$ mkdir .rhistdata

Step 3. Open .bash_profile and write down following commands:

$ vi .bash_profile
# save root history
export HISTSIZE=3000
export HISTFILESIZE=5000
export HISTFILE=/root/.rhistdata/.bash_hist-$(who am i | awk '{print $3.$4.$5.$6}';exit)

Save and close the file.

It’s simple. You can try to login again as root, do something and logout. Login again and check that there’s file having all commands you performed.

* 5 steps to secure your Linux Server
* Ensuring secure access to production Linux Servers
* Bash script to backup essential log files in Linux
* Quickly change your ssh port from defualt 22 to something higher
* SSH port forwarding from remote to local machine
* Install and configure denyhost to prevent brute force attacks

Here are steps to install and configure DenyHosts for your server. These steps are applicable for Red Hat based distros (ie RHEL, CentOS, Fedora) and needs minor changes for other distros. You can copy paste the commands.

Step 1. Detect which version of Python is installed on your server:

# python -V

Step 2. You will see python version 2.3.x (for CentOS 4.x) or 2.4.x (,CentOS 5.x, Fedora etc). Download the relevant rpm from sourceforge or source tarball, I have download it by using this direct link.

Step 3. Install the rpm:

# rpm -ivh DenyHosts-2.6-python2.3.noarch.rpm

or compile and install from tarball, you have it:

# tar xzf DenyHosts-2.6.tar.gz
# cd DenyHosts-2.6 
# python setup.py install

Step 4. make a copy of default configuration file:

# cd /usr/share/denyhosts/
# cp denyhosts.cfg-dist denyhosts.cfg

Step 5. Edit the configuration file to suit your needs:

# vi denyhosts.cfg

Step 6. You can run DenyHosts by cron or as Daemon. preferred way is to run it as daemon. To run it as daemon, make a copy of its default daemon script

# cp daemon-control-dist daemon-control

Step 7. Set proper permissions for daemon script:

# chown root daemon-control
# chmod 700 daemon-control

Step 8. Start it:

# ./daemon-control start

Step 9. Make it run on startup:

# cd /etc/init.d
# ln -s /usr/share/denyhosts/daemon-control denyhosts
# chkconfig -–add denyhosts

Step 10. You can view its log and also view the hosts.deny file to find out how many hosts are denied:

# tail /var/log/denyhosts
# cat /etc/hosts.deny

One other way to prevent such attacks is to use tcpwrappers and allow services (ssh) from specific IP Addresses only.

More related and helpful articles:
* 5 steps to secure your Linux Server
* Ensuring secure access to production Linux Servers
* Bash script to backup essential log files in Linux
* Quickly change your ssh port from defualt 22 to something higher
* SSH port forwarding from remote to local machine
* Save root or user history to check later