I’ve suggested them some points as per described below for ensuring secure access to servers. They have 5-6 Linux servers. This is obviously may not be the best way and I’m as always appreciate if you can give your suggestion in comments. My approach is that from 6 servers, we will be able to login only in 2 servers from remote through key based access and from these 2 server, we can access remaining. Here’s what we did:

1. Disable root access
Completely disable root login access from remote. Period. Open /etc/ssh/sshd_config and add/remove comment from this line:

# vi /etc/ssh/sshd_config

PermitRootLogin no

2. Login only through non-root user
Create non-root user and create public/private key pair for it:

$ adduser loginu

login to ‘loginu’ user created above, or if you are in root, just su:

# su loginu
$ ssh-keygen -t dsa

Enter details while generating keys, enter good passphares and always remember it. Now you can go ahead and disable password based access completely so user can only login by using keys but this may be too restrictive or problematic for them if they forget passphares etc. if you want to go ahead, make sure these statements are there in /etc/ssh/sshd_config file:

$ exit
# vi /etc/ssh/sshd_config

PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

copy the key you created earlier (there should be two files in ~loginu/.ssh/ directory: id_dsa, id_dsa.pub. so copy id_dsa) to your pc so from next time you can use this key to login into the server.

Just make sure you are able to login through ‘loginu’ user before applying these ssh settings. Jump to terminal in your pc and try to login with key:

$ ssh -i id_dsa loginu@your.server.ip

It will ask for passpahres and after supplying it you should be able to login into the server. Please make note that this is very confidential key and store it in good place/directory. Alternatively you can also generate keys in your own pc and store them at server to facilitate login. But if you want flexibility to have only one key (like carry it in your usb stick) and be able to login with it, I found this approach good to use server keys instead of pc keys.

3. (Optional) Restrict login by IPs
Now come back in server. You can further strengthen security by allowing only select IPs to log in:

# vi /etc/ssh/sshd_config

AllowUsers loginu@aa.aa.aa.aa loginu@bb.bb.bb.bb loginu@cc.cc.cc.cc

Here replace aa/bb/cc with actual IP addresses from where you want to allow access.

Going ahead, optionally, You can also change port for ssh from default 22 to other by using this guide but as I think we are only allowing access through keys and from select remote places only, this you may skip.

Reload sshd daemon to apply settings which you have set in /etc/ssh/sshd_config by:

# service sshd reload

Without closing current login session, try to login again from other terminal to check you are able to login into the server.

4. Secure other servers
As mentioned earlier, I preferred to treat first 2 server as ‘login’ server in which we can login from anywhere using user ‘loginu’ with key and then can login to other servers. So effectively other servers would not allow direct access from remote. Jump to server 3-6 and set following:

# vi /etc/ssh/sshd_config

AllowUsers loginu@aa.aa.aa.aa root@aa.aa.aa.aa loginu@bb.bb.bb. root@bb.bb.bb.bb

here aa.aa/bb.bb indicates IP address of server #1 and #2 (login servers). So in this (#3) server we can login from those server(s) only. After making changes, reload ssh daemon to apply settings in all of these servers:

# service sshd reload

5. Other services
I suggested to disable every service that we don’t need in servers. That’s the best approach to secure them . These servers has role of web servers and rsync process is there to sync files. In that case, created another non-root user:

# adduser rsyncuser

generate keys (you can generate passphares less keys) for this user as well. Create same user in all other servers and put first server’s (from where rsync initiate) keys in them. Dont allow this user to login from remote but only from server where rsync initiate. I’ve documented rsync process here, if you want to go ahead and configure it. Similarly, if you need services like FTP then allow this only from selected IP address (by configuring /etc/hosts.allow) or firewall etc.

6. Configure DenyHosts
To further prevent attacks and block any IP address from which several failed login attempt originated, you should configure DenyHosts script ( I have documented howto on DenyHosts here) or equivalent.

Other Most Read Articles:
* Top 5 Linux commands for Administrators.
* Install and configure Munin/Monitor for monitoring.
* Change time zone in your Linux machine quickly.
* Detect directory changes in Linux.
* Script to backup essential log files.

Here I’ll illustrate it using an example. Suppose you have installed and configured Jabber Instant Messaging Server (check out to do that on this site here). You found later that in the Server machine, there’s no GUI available and you need to access its graphical web admin interface. In this case, you can easily forward port from Server machine to your own PC to access the admin interface. You might know that ejabberd (Jabber Server) web admin interface is available on port 5280.

Just for checking, try once to telnet to port 5280 on locahost:

[root@Desktop]# telnet localhost 5280
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused

The connection was refused as there’s no service to entertain the request on specified port.

Let’s do the forwarding now. The syntax is: ssh -L localport:remotehost:remoteport remotehostip

Here is the example:

[root@Desktop]# ssh -L 5280:localhost:5280 192.168.0.38
Password: ******

It should come to remote server shell, leave it as is.

You will be logged in Server and the specified port will be forwarded to your host. Sometimes, its uncomfortable to login in the Server while we just need to do only port forwarding, you can avoid logging in Server by using -N option with ssh command.

Just jump to another another shell and try to telnet localhost now:

[root@Desktop]# telnet localhost 5280
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.

Cool. you are able to connect. Open your browser and type: http://localhost:5280/admin/ to open the web admin interface of ejabberd IM Server.

You may also like to read:
* 5 steps to secure your Linux Server
* Ensuring secure access to production Linux Servers
* Bash script to backup essential log files in Linux
* Quickly change your ssh port from defualt 22 to something higher
* SSH port forwarding from remote to local machine
* Save root or user history to check later
* Install and configure denyhost to prevent brute force attacks