This site is running on a small VPS with Ubuntu 12.04 Server. The only way to access the server is using SSH. So it is very important to make remote SSH login security. In this tutorial, I’m going to show you what I was doing on my Ubuntu Server to deal with the problem.
- Secure SSH Login on Ubuntu VPS
1. Disable SSH Login as Root
It’s not a good idea to login your Ubuntu Server remotely as root user, because anyone can attempt to access your system by brute force the root password.
To disable root login, edit the configuration file by running blew command:
Find out the line which says PermitRootLogin yes and change it to PermitRootLogin no.
You’ll need to press i on your keyboard to start editing, press ESC to exit editing. Then press : followed by wq and then press Enter. This will save the file.
2. Add a user for SSH Login
You need to create a new user for remote ssh login after disabled root. If you already have one, skip this step.
In below codes, replace USERNAME to any username you want.
To get started, run blew command to create a user:
adduser --shell "/bin/bash" USERNAME
Add the user to sudoer group:
echo "USERNAME ALL=(ALL:ALL) ALL" >> /etc/sudoers
Add the user to SSH list:
echo "AllowUsers USERNAME" >> /etc/ssh/sshd_config
3. Change the SSH Port
Using something other than the default port (22) for the ssh server can help avoid attacks by script kiddies. To do so, run command to edit the ssh config file:
Find out Port 22, change to Port 22000 or any other number between 1024 and 65536.
After this step, you can do SSH access by running below command:
ssh serveripaddress -l USERNAME -p 22000
4. Limit SSH Login Attempts
The most effective way to protect your server from brute force is to limit ssh login attempts. DenyHosts is a log-based intrusion prevention security tool for SSH servers written in Python. It is intended to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.
To install DenyHosts.
sudo apt-get install denyhosts
Once the Denyhosts installed, make sure to whitelist your own IP address, so you will never get locked out. To do this, edit the file /etc/hosts.allow:
Add your IP address to the end, make it looks like this:
You can also use Google Authenticator two-step authentication to secure your SSH Login.