This is a quick post to inform you of some ways to keep your Linux machines well protected from hackers and bots. Today I realised some of these so called hackers had been brute forcing my web servers for the last few days; luckily they didn't prevail but it got me thinking. I'm going to tell you the steps I took to secure my server even further than it already was, and hopefully help you avoid the same troubles.
Deny Root Logins
This might seem like an obvious one, but most servers allow root logins by default. There are no reasons that anyone should be remote logging in using root account. Leaving this account open for logins is very dangerous and allows for easy brute force attacks to guess your password. The best part about this option is it's extremely easy. Use your favourite editor to open /etc/ssh/ssh_config and change PermitRootLogin to no. Make sure at least one other user on your machine has SSH if you are currently logging in as root as you won't be able to log back in after restarting the SSH daemon otherwise.
Limit Login Attempts
By limiting the amount of failed authentication attempts you are stopping bots from repeatedly attacking your connection and maybe eventually guessing your password. Again, this is a very easy change. Inside /etc/ssh/ssh_config change MaxAuthTries to 5. Any more than 5 wrong password attempts is almost definitely a hacking attempt, don't set the number too low or if you accidentally forget your password, or miss a key or too while typing like a maniac you may find yourself locked out of your own machine.
Use Keys instead of Passwords
If you're new to linux you may not know what keys are, but trust me, you want to. Keys allow you to login to your server without a password. "OH NO!?" I hear you say? Thankfully it's not as simple as that, access will be permitted to users who posses your private key file, which you must guard with your life! No need to remember long complex passwords, although it's still recommended, and it means hackers can't ever guess your password because your machine won't even be checking for them without this special key. First of all you're going to need to generate a key pair. Simply run the command below
$ ssh-keygen -v -t rsa
You will see an output similar to:
Generating public/private rsa key pair. Enter file in which to save the key (.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_rsa. Your public key has been saved in id_rsa.pub. The key fingerprint is: 18:c3:71:2d:56:13:e7:ff:34:e5:19:f8:2e:af:f3:94 [email protected]