SSH hardening on cPanel servers
Folks! As SysAdmins we’ll always be vigilant on our server’s security, especially for SSH. SSH brute-force attacks rate are higher now-a-days and it has become more necessary to harden the SSH service on our servers. Here I’ll help you in hardening the SSH service on your server using simple steps.
Step 1. Make the root password stronger
Yeah, that’s the main thing that we need to do for our server. We need to set a strong root password. Please don’t set simple passwords like redhat, abcd123 as hackers can easily crack it. Your server’s security is in your hand – so make it strong as you can 🙂
I suggest to use 8-12 character password with at-least one symbol and one number.
Not only for root users, this is applicable for other cPanel users too. If you’re giving SSH access to any cPanel users provide them with a strong password. If a user don’t need SSH access, do not grant them with the access. To remove a user’s SSH access, use WHM’s Manage Shell Access interface
Home >> Account Functions >> Manage Shell Access
If a user needs SSH access but does not need access to files outside of their home directory, allow them to use a jailed shell environment.
Step 2. Disable SSH protocol 1
In older systems, version 1 of SSH protocol is still available. This protocol have certain security threats and we need to disable it in our servers. So we need to enable only Protocol 2 for SSH. Restart SSH once you done it or you can restart it after making all the changes in SSH config file – /etc/ssh/ssd_config.
Step 3. Run SSH on a different port
Yeah, that’s another smart idea to use a different port rather than 22. In most cases hackers will try to attempt on the port 22 for SSH, by changing the port to another one we can greatly reduce the risk of an automated break-in.
For that we can make the necessary config change in /etc/ssh/ssd_config and then restart the SSH service on the server.
Here you can change the port to the one you need. Once that is done, please don’t forget to open the port in your Firewall too 🙂
Step 4. Disable direct root login
Another method to secure the SSH is by disabling the direct root login. Hackers and zombie machines will try to access SSH with direct root login. We can disable it on our server to secure it. To activate it, we need to set PermitRootLogin as no in /etc/ssh/sshd_config file.
Yeah, now we need to set another user to have SSH access and then we can switch to root.
Once we disable direct root login, how can we access SSH from command-line. For that we need to enable SU user like “spcluser” (this is just an example, you can use your own) and set password to it.
Adding SU and setting its password:
# groupadd spcluser # useradd spcluser -gspcluser # passwd spcluser type password
By using this commands, we added the SU user as spcluser, assigned its group and set its password. Now we need to add the spcluser to Wheel group. For a cPanel server, either we can do it from cPanel or we can do it from command-line.
WHM >> Home >> Security Center >> Manage Wheel Group Users
There you can add or remove users from Wheel group
# vi /etc/group
search for wheel, then append your SU user. It should be as:
If that’s done, we need to grant permission for this user to access SSH. For that we need to add it as follows:
# vi /etc/ssh/sshd_config
Add the SU user as AllowUsers in the config file
Finally, restart SSH. Now we can SSH to the server as your SU user. Then use su – to switch to root 🙂
Step 5. Use key-based authentication.
This is the most secure method for SSH. I prefer using this for our servers. Here we disable password authentication and need to enable key-based authentication in SSH config file. Then we need to add the public key of our local machine to the server. Hence you won’t be prompted for password.
This way we can deploy password less authentication on your servers.
If we need only key based authntication, then set PasswordAuthentication to no
Then we need to uncomment the ssh-authorized key file in SSH config file
vi /etc/ssh/sshd_config AuthorizedKeysFile .ssh/authorized_keys
Then, restart SSH service.
Next, we need to add the public key to our server – /root/.ssh/authorized_keys
Step 6. Enable TCP wrappers
We can control the SSH access to a server using the files /etc/hosts.allow and /etc/hosts.deny. Using this files we can allow/deny an IP. We can control whoever can access the server. Either we can do it via command-line else we can do it from WHM.
Home >> Security Center >> Host Access Control
Yeah! That’s it 🙂
Let us know if you need any assistance.