SSH hardening on cPanel servers

Folks! As SysAdmins we’ll always be vigilant on our server’s security, especially for SSH. SSH brute-force attacks rate are higher now-a-days and it has become more necessary to harden the SSH service on our servers. Here I’ll help you in hardening the SSH service on your server using simple steps.

Step 1. Make the root password stronger

Yeah, that’s the main thing that we need to do for our server. We need to set a strong root password. Please don’t set simple passwords like redhat, abcd123 as hackers can easily crack it. Your server’s security is in your hand – so make it strong as you can 🙂

I suggest to use 8-12 character password with at-least one symbol and one number.

Not only for root users, this is applicable for other cPanel users too. If you’re giving SSH access to any cPanel users provide them with a strong password. If a user don’t need SSH access, do not grant them with the access. To remove a user’s SSH access, use WHM’s Manage Shell Access interface

Home >> Account Functions >> Manage Shell Access

If a user needs SSH access but does not need access to files outside of their home directory, allow them to use a jailed shell environment.

30 plus SSH interview questions and answers – compiled

Step 2. Disable SSH protocol 1

In older systems, version 1 of SSH protocol is still available. This protocol have certain security threats and we need to disable it in our servers. So we need to enable only Protocol 2 for SSH. Restart SSH once you done it or you can restart it after making all the changes in SSH config file – /etc/ssh/ssd_config.

Protocol 2

Step 3. Run SSH on a different port

Yeah, that’s another smart idea to use a different port rather than 22. In most cases hackers will try to attempt on the port 22 for SSH, by changing the port to another one we can greatly reduce the risk of an automated break-in.

For that we can make the necessary config change in /etc/ssh/ssd_config and then restart the SSH service on the server.

Port 22

Here you can change the port to the one you need. Once that is done, please don’t forget to open the port in your Firewall too 🙂

Step 4. Disable direct root login

Another method to secure the SSH is by disabling the direct root login. Hackers and zombie machines will try to access SSH with direct root login. We can disable it on our server to secure it. To activate it, we need to set PermitRootLogin as no in /etc/ssh/sshd_config file.

PermitRootLogin no

Yeah, now we need to set another user to have SSH access and then we can switch to root.

Once we disable direct root login, how can we access SSH from command-line. For that we need to enable SU user like “spcluser” (this is just an example, you can use your own) and set password to it.

Adding SU and setting its password:

# groupadd spcluser
# useradd  spcluser -gspcluser
# passwd spcluser
type password

By using this commands, we added the SU user as spcluser, assigned its group and set its password. Now we need to add the spcluser to Wheel group. For a cPanel server, either we can do it from cPanel or we can do it from command-line.

From cPanel:

WHM >> Home >> Security Center >> Manage Wheel Group Users

There you can add or remove users from Wheel group

From command-line:

# vi /etc/group 

search for wheel, then append your SU user. It should be as:

wheel:x:10:spcluser

If that’s done, we need to grant permission for this user to access SSH. For that we need to add it as follows:

# vi /etc/ssh/sshd_config

Add the SU user as AllowUsers in the config file

AllowUsers acusu725 

Finally, restart SSH. Now we can SSH to the server as your SU user. Then use su – to switch to root 🙂

Step 5. Use key-based authentication.

This is the most secure method for SSH. I prefer using this for our servers. Here we disable password authentication and need to enable key-based authentication in SSH config file. Then we need to add the public key of our local machine to the server. Hence you won’t be prompted for password.

This way we can deploy password less authentication on your servers.

If we need only key based authntication, then set PasswordAuthentication to no

PasswordAuthentication no

Then we need to uncomment the ssh-authorized key file in SSH config file

vi /etc/ssh/sshd_config

AuthorizedKeysFile      .ssh/authorized_keys

Then, restart SSH service.

Next, we need to add the public key to our server – /root/.ssh/authorized_keys

Step 6. Enable TCP wrappers

We can control the SSH access to a server using the files /etc/hosts.allow and /etc/hosts.deny. Using this files we can allow/deny an IP. We can control whoever can access the server. Either we can do it via command-line else we can do it from WHM.

Home >> Security Center >> Host Access Control

Yeah! That’s it 🙂
Let us know if you need any assistance.

Heba Habeeb

Working as a Linux Server Admin, Infopark, Cochin, Kerala.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *