Protect SSH

Before you deploy the server activities let's protect themselves from hacking. Any site creation and database placement, all this should wait. The first thing after entering the new server is to protect his sore spot: the port SSH, which originally opened on all Linux servers and is one of the main objectives of hackers, because they know who owns SSH that owns the world.

Change the password for SSH access.

Go to the server as root using Putty program and change the root password sent to us from the hosting company to a more friendly for us. Several recommendations:

Command passwd written in the Linux console gives you the ability to change the user's password.

[root@name-of-your-server ~]# passwd

In response to the passwd command you will see the system messages with the offer enter your new password (in our case the password for root).

Changing password for user root.
New password:

Password entry occurs in a blind mode, ie typed characters are not displayed. When you enter your new password and press the Enter key system will ask you to repeat the operation entered a new password, to make sure that you really remember password you created.

Retype new password:

If the new password you set is too easy or too short according to the system rules, then before reporting Retype new password, system displays messages accompanied by the phrase BAD PASSWORD.

BAD PASSWORD: is too simple
BAD PASSWORD: it is WAY too short
BAD PASSWORD: it is based on a dictionary word

In fact it is nothing to worry about, the system simply warns you of weak password, but you can always refuse to continue operations in the Linux console by pressing CTRL+C.

When everything is done right, at the end of the system will notify by message:

passwd: all authentication tokens updated successfully.

It is important, if you will forget the root password then just reinstallation of the system will help you get it back!

In case when double typed by you new password did not match each other operation will finished without changing a password and a message will appear:

Sorry, passwords do not match.

If among other things you need to change the password of a particular user on the server, then after entering the passwd command, enter the user's name. In this case you must have sufficient rights to change the password the target user, of course, if we are working on the server as root, the problem with that is not there.

[root@name-of-your-server ~]# passwd username 

Again you need to enter a new password, confirm it by pressing Enter, and then re-enter the new password again and Enter.

Some recommend stupidity to keep all your passwords in mind. When you have a lot of passwords and PIN-codes it's easy to be confused, create a universal password is the greatest folly. You can have one password for different sites to which the loss of access to you is not critical, but the SSH password to the server must be unique. I recommend to record passwords somewhere outside computer with Internet access..

Why do you need so a brainstorm password? First, the network has already laid out and constantly updated bunch of hashes, or in other words to uncovered passwords. Hash - it's in a special way mathematically calculated the value of something. Certainly passwords on a Linux system does not lie only in the form of hash , and even more so in an open, hash password in the Linux operating system is encrypted and stored in the file /etc/shadow. Theoretically, it is likely that someone will steal the file /etc/shadow, and to decipher to the level of the hash value. Aand the hash cracking is not necessary, if it is already solved. Secondly modern server, and even worse the whole network of infected computers, called botnets, are able to bruteforce passwords that only yesterday seemed not susceptible to cracking. Third, hacking using social engineering even more popular than the rest, because this technique is not only available for the hackers, but also and for "semi-hackers". They for example can hide behind cute blondes photo on dating sites or Facebook, where you possibly not wanting, but in a fit of flirting with her can brag by your server.

Changing the SSH port.

In modern world servers are hacked by packs, for example hackers create file parser, it runs on a server or virusinfected computer and looking for victims, when parser is eyeing the victim it begins their work to breaking server. So, to hide from this kind of predators it's enough to close port 22 SSH. No SSH port and no problems! With a such powerful idea we can abandon from computers in war with cyber viruses, but it's much easier: we close the 22 port that everything and everyone knows that it is the connection port SSH, and instead ask a different port.

I recommend to set the SSH port to the five-digit value till 65000. Why such distant ports is that you do not accidentally took the necessary ports to other services, for example 80 or 443 - this is server ports for websites on it. The configuration file responsible for the SSH protocol is placed on the way /etc/ssh/sshd_config. Open the file

[root@name-of-your-server ~]# vi /etc/ssh/sshd_config

In the opened file you will see the line #Port 22 - # comment sign says that the line is not currently enabled. Remove the # comment to use our line and change the SSH port figure to another , for example 33442. Then save the result. If line Port 22 in sshd_config file you will not find just add it to this file

Making SSH service restart, in Linux is sshd

[root@name-of-your-server ~]# service sshd restart

And now on a par with the new password you better not forget your new port, because the standard SSH port 22 from that point on the server is closed. From now connecting via Putty you will need to specified your new SSH port and fill in the Port Putty program instead of the number 22 new port value, in my example, that value is port 33442.

PS Settings are shown in the articles for operating system Centos 2013-2024