Upload
cloudministerdev
View
23
Download
0
Tags:
Embed Size (px)
DESCRIPTION
This Blog will update you about “What is SSH, How to change SSH port and implement SSH hardening on centOS7 server with CWP?” and if you want to save your time then, go with the below-given link for more updates:
Citation preview
What is SSH, how tochange ssh port andimplement ssh hardeningon centos 7 server withCWP?
www.cloudminister.com
The SSH protocol (also referred to as Secure Shell)is a method for secure remote login from onecomputer to another. It provides several alternativeoptions for strong authentication, and it protects thecommunications security and integrity with strongencryption.
www.c
lo
ww.clo
udminis
ww.clo
udminis
ter.com
w.clou
dminis
ter.com
www.c
lo
w.clou
dminis
ter.com
www.c
loudm
inist
cloudm
inister.
comww
w.clou
dminis
ter.com
w
oudminis
ter.com
www.c
loudm
inister.
comww
w.clou
d
oudminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
te
oudminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
ww
oudminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
lou
oudminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inist
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comw
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
w.clo
ister.co
mwww.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
w.clo
mwww.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loud
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dm
ter.com
www.c
loudm
inister.
comww
w.clou
dm
www.c
loudm
inister.
comww
w.clou
dm
oudminis
ter.com
www.c
loudm
i
ter.com
www.c
loudm
in
www.c
loudm
ini
dminis
t
Change SSH PortChange SSH PortChange SSH PortOpen CWP panel in browser and login with admin account by using
https://your_domain.com:2087 (2087 for secure login).
www.c
lo
ww.clo
udminis
ww.clo
udminis
ter.com
w.clou
dminis
ter.com
www.c
lo
w.clou
dminis
ter.com
www.c
loudm
inist
cloudm
inister.
comww
w.clou
dminis
ter.com
w
oudminis
ter.com
www.c
loudm
inister.
comww
w.clou
d
oudminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
te
oudminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
ww
oudminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
lou
oudminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inist
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comw
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
w.clo
ister.co
mwww.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
w.clo
mwww.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loud
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dm
ter.com
www.c
loudm
inister.
comww
w.clou
dm
www.c
loudm
inister.
comww
w.clou
dm
oudminis
ter.com
www.c
loudm
i
ter.com
www.c
loudm
in
www.c
loudm
ini
dminis
t
CLICK ON SERVICES CONFIG AND SELECT SSH CONFIGURATION UNDER IT.
CUSTOM ANTIBIOTICSAND VACCINES
www
.clou
ww.clo
udminis
t
ww.clo
udminis
ter.com
w
w.clou
dminis
ter.com
www.c
lou
w.clou
dminis
ter.com
www.c
loudm
iniste
cloudm
inister.
comww
w.clou
dminis
ter.com
ww
oudminis
ter.com
www.c
loudm
inister.
comww
w.clou
d
oudminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
w.clo
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
w.clo
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loud
er com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
ww.clo
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dm
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dmi
er com
www.c
loudm
inister.
comww
w.clou
dmi
www.c
loudm
inister.
comww
w.clou
dmi
udminis
ter.com
www.c
loudm
i
ter.com
www.c
loudm
in
ww.clo
udminis
dminis
t
PORT 22 IS THE DEFAULT PORT ON WHICH SSH SERVICE LISTENS TO ENHANCE THESECURITY YOU SHOULD CHANGE IT.
ww.clo
w.clou
dminis
w.clou
dminis
ter.com
cloudm
inister.
comww
w.clo
cloudm
inister.
comww
w.clou
dminis
t
oudminis
ter.com
www.c
loudm
inister.
comw
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
te
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
ww
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loud
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
iniste
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comw
minister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
lo
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loud
er com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
ww.clo
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dm
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dmi
r comww
w.clou
dminis
ter.com
www.c
loudm
in
ww.clo
udminis
ter.com
www.c
loudm
in
udminis
ter.com
www.c
loudm
in
er.com
www.c
loudm
in
ww.clo
udminis
dminis
t
NOW EDIT THE CONFIGURATION FILE BY CHANGING AND UNCOMMENT PORT NO FROM 22 TO 2221YOU CAN USE ANY PORT NUMBER THAT IS NOT USED WITH OTHER SERVICES AND CLICK ON SAVECHANGES.NOW RESTART THE SSH SERVICE WHICH IS FOUND IN THE DASHBOARD.
Configure CSF firewallChanging Port for SSH is not allowed to accessuntil you don’t give the Port number inside the CSF firewall.Toconfigure it click on security and select CSF firewall, then click onFirewall Configuration and replace in the entry of PORTS_sshd=”22”with PORTS_sshd=”2221” and click on save changes.
ww.clo
w.clou
dminis
w.clou
dminis
ter.com
cloudm
inister.
comww
w.clo
cloudm
inister.
comww
w.clou
dminis
t
oudminis
ter.com
www.c
loudm
inister.
comw
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
te
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
ww
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loud
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
iniste
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comw
minister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
lo
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loud
er com
www.c
loudm
inister.
comww
w.clou
dminis
ter.com
www.c
loudm
ww.clo
udminis
ter.com
www.c
loudm
inister.
comww
w.clou
dm
dminis
ter.com
www.c
loudm
inister.
comww
w.clou
dmi
r comww
w.clou
dminis
ter.com
www.c
loudm
in
ww.clo
udminis
ter.com
www.c
loudm
in
udminis
ter.com
www.c
loudm
in
er.com
www.c
loudm
in
ww.clo
udminis
dminis
t
Now restart the Firewall with the Firewall Restart button.
Now test this by using ssh without port change and with port change you will see the effect.
OTHER SSH HARDENING
By setting a low threshold for login attempts, you can help preventbrute force attacks. Open the SSH daemon configuration file againwith the command:sudo vi /etc/ssh/sshd_configLook for the line:# MaxAuthTries 6Change that line to:MaxAuthTries 3Save and close the file. Restart the SSH server with the command:sudo systemctl restart sshd
1) LIMIT MAX AUTHENTICATION ATTEMPTS
2) Disable empty passwordsTHERE ARE SOME SYSTEM USER ACCOUNTS THAT ARE CREATED WITHOUTPASSWORDS. THE ADMINISTRATOR OF A LINUX MACHINE CAN ALSO CREATESTANDARD USERS WITHOUT PASSWORDS. OUT OF THE BOX, SSH ISCONFIGURED SO THAT IT DOESN’T PREVENT EMPTY PASSWORDS FROM BEINGALLOWED. LET’S FIX THAT.
OPEN THE SSH DAEMON CONFIGURATION FILE AGAIN WITH THE COMMAND:SUDO VI /ETC/SSH/SSHD_CONFIGLOCATE THE LINE:#PERMITEMPTYPASSWORD NOCHANGE THAT WITH:PERMITEMPTYPASSWORDS NOSAVE AND CLOSE THE FILE. RESTART THE SSH SERVER WITH THE COMMAND:SUDO SYSTEMCTL RESTART SSHD
CONCLUSIONThe above configuration shows howto configure different port number forSSH server and different SSHhardening.