Welcome Guest.
Not a member yet? Why not sign up today and start posting on our forums.
How to Secure SSH Access on a Linux Server

While setting up the new server for the forum, I was looking into ways to make it harder for anyone trying to hack into the server when I came across these two articles on to harden SSH access (remote command line for Windows users)

How To Create SSH Keys With PuTTY to Connect to a VPS | DigitalOcean

How To Set Up Multi-Factor Authentication for SSH on Ubuntu 16.04 | DigitalOcean

The first one isn't anything new, using key pairs to authenticate the user on the server.

The second one adds two more layers to authenticate the user on the server using SSH.

The first layer is using Google Authenticator to enter a one time password along with having the key pair. Once it is properly set up, the log in looks something like this

[Image: capture-png.1179]

The verification code being the one generated by Google Authenticator

The additional layer mentioned in the second article is forcing users to use two factor and disabling password authentication.

Someone who manage to get hold of my username and password and tried to gain SSH access to the server will see this error message

[Image: capture-png.1180]

Sorry your SOL [Image: clear.png] LOL

Word of Warning:

Using Google Authenticator to verify SSH logins does break logins from SFTP applications like Filezilla. So until they add the ability to enter the verification code when logging in, an administrator can temporarily disable Google Authenticator while using Filezilla and then re-enable it when done. Still protected by disallowing password authentication and forcing the person to use the key pair [Image: clear.png]

Although I have found out that WinSCP handles it fine if it is set up right.  Go to Settings for the Site, Advanced, Authentication under SSH and then make sure the following are set right

Make sure "Attempt 'keyboard-interactive' authentication" is checked and then uncheck "Respond with password to the first prompt".  Doing it this way when it reached the Google Authentication stage, WinSCP will ask you for the verification code and then you can log in Smile

Using Google Autheticator isn't really a good solution. 2FA is great and all, but isn't super practical in a lot of scenarios. I don't really feel like listing out every possible method you can use to secure ssh but here's a few pretty decent ones

A) No one should have your username and password. Setting up a specific account for ssh access and only giving it read permission is what you should do. Use sudo for any sort of editing purposes.
B) Setup fail2ban, takes like two seconds and prevents brute forcing attacks
C) Don't use 22 for SSH, helps stop automated attacks
D) utilize portknocking, even if someone has your keys they won't be able to get in -- fwknop is a pretty good implantation. You could even write your own implantation that will send you an sms if someone logs in with your keys without portknocking. That would have the added benefit of knowing your keys are compromised when the hacker attempts to use them.