After a while working with Linux Server, I have a few small tips that can help your server be more secure
Change the SSH port
If you have worked with the server, you probably already know the term SSH
SSH , or known as Secure Shell , is a remote control protocol that allows users to control and edit servers remotely over the Internet … (Here I just introduce the basic definition only)
By default, SSH uses port 22/tcp
for the user to access, since it is the default so everyone knows so to increase security we should change it.
I will guide you to change the SSH port
1. Access your server with user root (ssh [email protected] _ip)
2. Open the file /etc/ssh/sshd_config
and find the Port 22
line and change it to the desired port (I like 6969)
1 2 3 4 5 6 7 8 | <span class="token punctuation">..</span> . <span class="token comment"># What ports, IPs and protocols we listen for</span> Port <span class="token number">6969</span> <span class="token comment"># Use these options to restrict which interfaces/protocols sshd will bind to</span> <span class="token comment">#ListenAddress ::</span> <span class="token comment">#ListenAddress 0.0.0.0</span> <span class="token punctuation">..</span> . |
3. Restart SSH
For CentOS and Fedora you use this command:
1 2 | <span class="token function">service</span> sshd restart |
And for Debian and Ubuntu you use this command:
1 2 | <span class="token function">service</span> <span class="token function">ssh</span> restart |
4. Use FireWall to enable port opening
For Ubuntu you use this command to open the port
1 2 | <span class="token function">sudo</span> ufw allow <span class="token number">6969</span> /tcp |
Do not log in with the root user
User root is always a sensitive issue in security, it is the user with the highest authority, so it is very dangerous if exposed. To solve this, you should use a different user to access and then use the command sudo -i
to switch to the user root .
I note you that in configuring Linux Server security with SSH, leave the password for the root user first. You can rest assured that if you have an SSH key and do not allow login via password, you can still use it when switching to a user.
The first step is to create a new user
1 2 | <span class="token function">useradd</span> deploy |
Next is to set a password
1 2 | <span class="token function">passwd</span> deploy |
Then next is the configuration to not allow login for the root user, open the file /etc/ssh/sshd_config
and then navigate to the line
1 2 | <span class="token comment">#PermitRootLogin yes</span> |
Then fix it to
1 2 | PermitRootLogin no |
And finally, the installation only allows deploy users to log into SSH
1 2 | AllowUsers deploy |
From now on, you can log into SSH using the deploy user. If you want to log in as the root user, you must type sudo -i
and enter the root user password to be able to switch to the root user.
Restrict IP login to SSH
These should not apply if you use dynamic IP address. This is the third way to configure security for Linux Server with SSH. If you are using a static IP address then it is great against unauthorized logins. Just enter the following code in /etc/ssh/sshd_config
finish:
1 2 | ListenAddress 143.198.80.56 |
Thus, only the IPs allowed above can access the server via SSH.
There are a few ways to secure your server, wish you success!