Welcome to Centmin Mod Community
Become a Member

Sysadmin protect root user over ssh

Discussion in 'System Administration' started by hitman, Apr 26, 2016.

  1. hitman

    hitman Member

    110
    9
    18
    Jul 18, 2014
    Ratings:
    +13
    Local Time:
    2:49 PM
    hello
    i use the root user to connect to ssh to my droplet
    but since "root" is a default account anyone would know the username used in order to connect

    what are the security measures i could use to be as safe as possible?
     
  2. apidevlab

    apidevlab Member

    88
    30
    18
    Mar 22, 2016
    /dev/null
    Ratings:
    +54
    Local Time:
    12:49 PM
    1.11.1
    5.2.14-122
    • Like Like x 1
    • Informative Informative x 1
  3. eva2000

    eva2000 Administrator Staff Member

    28,935
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    9:49 PM
    Nginx 1.13.x
    MariaDB 5.5
    nice link

    ssh keys are nice but there are times you still need a password i.e. if you use a VPS and get locked out and need to use the web host provider's ipmi or out of band consoles with providers like digitalocean, ramnode, vultr

    for most folks 6 things are enough

    1. long and strong root user passwords i.e. use Strong Password Generator
    2. change sshd port from default 22 via centmin.sh menu option 16 which prompts for default port number first = 22 then your desired new sshd port number - this menu option auto reconfigures CSF Firewall's port whitelisting for sshd too
    3. if you web host provider's client/server admin login area has 2 step authentication enable and use it
    4. any web host provider email address you use to reset passwords needs to also have strong email login password and 2 step authentication enabled
    5. never use unprotected wifi - whether it be public or private (at home) wifi - use a VPN
    6. never send server login or sensitive info over unencrypted emails.. use sendinc.com to send private encrypted emails for server logins
     
    Last edited: Apr 28, 2016
    • Like Like x 2
  4. dooma

    dooma Premium Member Premium Member

    220
    21
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +26
    Local Time:
    1:49 PM
    Hello,

    I already changed my port and did all the steps but I have no password for the root as I'm using SSH keys. I have a password for my superuser. should I set a pass for the root ?, and what should I change the PermitRootLogin to "No" or "Without-Password" ?

    Thanks
     
  5. eva2000

    eva2000 Administrator Staff Member

    28,935
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    9:49 PM
    Nginx 1.13.x
    MariaDB 5.5
    Before you look into ssh key only (+disable password authentication), make sure your web host is setup with features that allow you to regain access to your server if you ever loose your ssh key's private key and that you know how to use those features to regain access.

    If you don't know how to use those features, setup a test instance/VPS with that web host and test it out. If you're with web host with hourly billed VPSes like Linode, DigitalOcean, and Vultr then it is relatively cheap to test out for a few hours on a test VPS.

    Here's a example text you can use to ask your web host to be sure

    There's numerous how to use ssh key login guides online, but not many go beyond that to explain what to do if you loose your ssh private key and are unable to use password logins. And that can come down to your web host and what measures they have in place i.e. out of band console access etc and recovery ISO/cds available.

    And some relevant guides with different web hosts about setting up SSH key authentication and also about recovery as well general need to know info.

    DigitalOcean



    Has out of band console access

    Linode



    Has out of band console access called Lish

    Vultr



    Has out of band console access

    OVH


    RamNode


    Others


     
  6. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    1:49 PM
    1
    10
    I tried the whole ssh key thing and i gave up on it as i couldnt get it working for sftp for some reason, it just kept not accepting my key.

    Call me paranoid but as I don't need sshd on all the time i stop the service when im done using it, however you'll need vnc or you wont be able to get back in

    also you can set this up

    Secure SSH with Google Authenticator Two-Factor Authentication on CentOS 7
     
    • Informative Informative x 2
  7. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    1:49 PM
    1
    10
    • Informative Informative x 1
  8. elargento

    elargento Member

    284
    16
    18
    Jan 4, 2016
    Ratings:
    +37
    Local Time:
    8:49 AM
    10
    Is there any difference if emails are sent through Gmail for example which has HTTPS?
     
  9. eva2000

    eva2000 Administrator Staff Member

    28,935
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    9:49 PM
    Nginx 1.13.x
    MariaDB 5.5
    Safer to use sendinc as it ensures both ends (sender & receiver) are secure as you may send via Gmail/HTTPS but the receiver end Email client might not be as secure. Compromised Gmail account would also make it's stored email text insecure/readable.
     
    • Informative Informative x 1