Have you secured your Linux box today? That is an essential question in today’s digital world. Threats are everywhere, but a lot of dangers are caused by low hanging fruit. Security is not a “flip the switch” solution, and you’re instantly secure. Because of that, this is going to be a multi-part series. Since we’re dealing with security, I have an important disclaimer: at the end of the day, security is your responsibility. Let’s go!
The obvious
I shouldn’t have to say this, but it does need repeating. Use strong passwords on your systems – especially your root account! CentOS is a distro that will tell you if your password is a bad idea during installation and make you press “done” twice so that you acknowledge that it is a terrible idea to use that password. Ideally, your password should be 12 random characters, including symbols and numbers. A good password is B9mk#ENuMk^cCk (don’t use this password!). It is 14 characters long, has both upper-case, lower-case, numbers, and special characters. It’s also randomly generated. How do you remember these? A password manager (such as Bitwarden. A password-protected Excel spreadsheet is not a password manager; neither is a notebook in your desk drawer!).
Securing SSH
SSH (or ‘secure shell’) is a primary administration tool. It’s available over port 22, and most Linux distros enable it by default. This is so you can immediately start your SSH client and connect to your system. It’s also a popular attack vector. For example, I opened SSH on one of my Linux servers for a few days. When I logged in, I received the following message in SSH after logging in:
There were 14138 failed login attempts since the last successful login.
That’s because it’s not hard to scan IP ranges and also look if port 22 responds. If it does, you can start firing usernames and passwords at it until you get in. This is why it’s crucial to ensure that your root password is secure as well as your users and avoid using common usernames if you can help it.
Changing SSH port
This is “security through obscurity,” and it is by no means fool-proof. Instead of having SSH listen on port 22, we tell it to listen on a different port number instead. To do this:
nano /etc/ssh/sshd_config
Now find the line that says “Port 22” and uncomment it. Also, note the line above it regarding SELinux. By default, SELinux is enabled on CentOS so we need to run this command as well.
I’m going to change my SSH port to 7654. So now my line looks like this:
Now, press CTRL+X to exit, Y to save. Remember, we need to tell SELinux about this. Run the following:
semanage port -a -t ssh_port_t -p tcp 7654
And we also have to update our firewall. To do this, copy the ssh service XML and create a custom file:
cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/ssh-custom.xml
Then change the port line in /etc/firewalld/services/ssh-custom.xml so the port is the same as in the ssh config file:
<port protocol="tcp" port="7654"/>
Lastly, remove the ssh service, add the ssh-custom service, and reload firewalld for the change to take effect:
$ firewall-cmd --permanent --remove-service='ssh' $ firewall-cmd --permanent --add-service='ssh-custom' $ firewall-cmd --reload
Now we have to restart the SSH daemon because it’s still listening on port 22. Your connection may remain connected. Disconnect and then try to connect over port 22. It should be refused. Now try connecting to your alternate port, and it should connect.
As you can see, I am now connecting over port 7654.
Disable root logins
Root does not need to log in from SSH. Only regular users should log in and then switch to root if they need to use root.
Edit the SSHD config file:
nano /etc/ssh/sshd_config
Find the following line:
PermitRootLogin no
Change ‘no’ to ‘yes’ and then restart sshd. Disconnect and now try to login as root. You should get an error that password authentication has failed.
Now you have to login as a regular user and then either switch to root or run commands with sudo.
References:
CentOS Wiki, https://wiki.centos.org/HowTos/Network/SecuringSSH
