Changing SSH Default Port
The default port for SSH is port 22. This can easily be changed by modifying the /etc/ssh/sshd_config file.
Change the section that says “Port 22” to your new chosen port number. The new port number does not really matter as long as it is not in use by another program, or application. I am using port 10022 in this example.
# What ports, IPs and protocols we listen for #Port 22 Port 10022
IMPORTANT: Don’t forget to open the port in your firewall for a tcp connection to your new chosen SSH port number. You should also close port 22 since it will not be used anymore.
Disable SSH Root Logins
Disabling root logins to SSH is a great way to improve your server(s) security.
Change the “PermitRootLogin” setting to no.
#PermitRootLogin yes PermitRootLogin no
Restart the SSH daemon.
service ssh restart
IMPORTANT: Make sure you have at least one non “root” user.
Adding a new user is accomplished by using the adduser command followed by the new username.
root@server:/# adduser sampleuser Adding user `sampleuser' ... Adding new group `sampleuser' (1001) ... Adding new user `sampleuser' (1001) with group `sampleuser' ... Creating home directory `/home/sampleuser' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for sampleuser Enter the new value, or press ENTER for the default Full Name : Room Number : Work Phone : Home Phone : Other : Is the information correct? [Y/n] Y root@server:/#
IMPORTANT: Do not use the same password as the root user. That will completely defeat the whole point of disabling root logins.
You can change to the root user once logged in by using the “su root” command followed by the root password.
Fail2Ban monitors your log file(s) for certain patterns that are specified in a filter.
apt-get update && apt-get upgrade apt-get install fail2ban
By default fail2ban monitors failed logins on port 22. Since we changed what port the SSH daemon listens on, fail2ban needs to know this as well. Create a new file called jail.local in the /etc/fail2ban/ directory.
Add the SSH jail and change the “port =” line to your new SSH port number.
[ssh] enabled = true port = 10022 filter = sshd logpath = /var/log/auth.log maxretry = 3