Ubuntu 14.04/Hardening SSH

Manage user accounts

Create a root account

(To deepen see also: Wiki, the command line part there is not outdated)

Reason: Who manages to enter the server with the user account, typically has spied out the user passwort. In such a scenario sudo offers no protection! For this reason here we create a fully-fledged root account with a separate password, and forbid sudo. Of course, this configuration requires discipline to use the root account absolutely only for administrative purposes, and to leave it as soon as possible.

Create a password for root and then type in the new password twice:

sudo passwd root

Unblock the root Account:

sudo passwd -u root

=> Console output "passwd: password expiry information changed", if the command was successful.

Last forbid sudo by ejecting root from the group "sudo", from now on with the regular root account:

deluser example sudo

In this tutorial example is meant as example for the user account name, which initially was used with sudo as login user. If no restricted login user exist on some special systems, create one with:

adduser example --ingroup users

Create an additional user account

For safety reasons, we run OpenSim with an own account, also only with limited user permissions. The advantage of this approach is that in the OpenSim account never a password must be typed in.

adduser maria --ingroup users

Test: Both users example und maria must be only in the group users now.
1) change the account with su <Account>
2) show the own groups with id -Gn

Supernumerary groups can be deleted with:

deluser <account> <group to delete>

Hardening SSH

(To deepen see also: Wiki)

Most scripted attacks point to standard ports and users. That is why we change SSH to an unusual port and allow only one specific user account (without root privileges).

Caution! Please prepare an up to date backup prior to these configuration steps. If you lock yourself out with a faulty SSH configuration, this is irrevocable!
Hint: Most server hosting companies however offer some means of web based configuration system where you can boot from a rescue system and mount your corrupted root file system to correct the settings. Check with your provider, if they offer similar support.

Caution! Permit the newly configured SSH port in your firewall or once again you will be locked out!

1) In /etc/ssh/sshd_config change the port to the desired value e.g. 12345.
=> After a successful connection test via the new port, close port 22 in the firewall.

Caution! Before proceeding to the next step, make sure an additional user (without root privileges) already exists or once again you will be locked out! If not done so far, create a new user as described in the previous chapter.

2) In /etc/ssh/sshd_config change the following 5 parameters:
=> Parameter LoginGraceTime to "120", meaning 2 minutes time for login attempts
=> Parameter PermitRootLogin to "no"
=> Parameter AllowUsers example to the newly configured user (without root privileges)
=> Parameter MaxAuthTries 3 to "3" login attempts
=> Parameter MaxSessions 1 to max. "1" simultaneous logged in user.

Remark: The parameters AllowUsers, MaxAuthTries and MaxSessions do not exist in the example file, so you must add them manually below of the two existing entries.

Tests:
=> Reboot the server and try if you can log in using your newly configured user account. If this fails, restore your backup...
=> Try to login as root.

Hints: It is still possible to use multiple shell windows. All logins of the same user from the same source machine count as one session. You can also change the current user account using su NewUser where "NewUser" must be a valid account on your system.



Continued: Time and language configuration