Help Center> Elastic Cloud Server> Best Practices> Enhancing Security for SSH Logins to Linux ECSs
Updated on 2023-11-13 GMT+08:00
View PDF

Enhancing Security for SSH Logins to Linux ECSs

Linux ECSs are generally logged in using SSH. How can I ensure login security for password-authenticated Linux ECSs? This section uses CentOS 7.6 as an example to describe how to enhance security for SSH logins.

Table 1 ECS configurations

Parameter

Example Value

Name

ecs-f5a2

OS

CentOS 7.6 64bit

EIP

119.3.xxx.x

Login mode

Password

Changing the Default Login Port

  1. Remotely log in to the ECS using its password through SSH. For details, see Login Using an SSH Password.
  2. Run the following command to change the default port for SSH logins, for example, to 5000:

    vim /etc/ssh/sshd_config

    Press i to enter insert mode. In line 17, delete the comment character (#) and change the port number to 5000.

    Figure 1 Before the change
    Figure 2 After the change
  3. Press Esc and enter :wq to save the changes and exit.

Adding a Firewall Rule to Open a Specified Port

CentOS 7 series use Fireware firewalls, but not Iptables by default. Perform the operations described in this section only if Iptables has been installed on your ECS to open port 5000 for SSH logins.

  1. Run the following command to check whether Iptables has been installed:

    service iptables status

    • If information similar to the following is displayed, Iptables has not been installed. In such a case, skip this section and proceed with Adding a Security Group Rule.

    • If information similar to the following is displayed, Iptables has been installed, and it is in active state. Then, go to step 2.

  2. Run the following command to add an Iptables rule to open port 5000:

    iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 5000 -j ACCEPT

  3. Run the following command to check whether port 5000 is contained in the existing Iptables rules:

    iptables -L -n

Adding a Security Group Rule

By default, port 22 is enabled in the inbound direction of a security group. After changing the SSH login port on your ECS to port 5000, add a rule for port 5000 to the security group.

  1. Log in to the management console.
  2. Under Compute, click Elastic Cloud Server. The ECS console is displayed.
  3. Click the ECS name ecs-f5a2 to go to the page providing details about the ECS.
  4. Click the Security Groups tab and then to show details about the security group rules. Click Modify Security Group Rule in the upper right corner of the table for the security group rules.
  5. Add an inbound rule, as shown in Figure 3.
    Figure 3 Security group rules

Changing Password Authentication to Key-Pair Authentication

Create a key pair on the management console, bind the key pair to your ECS to change the ECS login mode.

  1. Log in to the management console.
  2. Under Computing, click Elastic Cloud Server to switch to the ECS console.
  3. Create a key pair by following the instructions provided in Creating a Key Pair, and keep the private key file secure.
  4. Choose Service List > Security & Compliance > Data Encryption Workshop. In the navigation pane on the left, click Key Pair Service.
  5. Click the ECS List tab, locate the row containing ecs-f5a2, and click Bind in the Operation column. Set parameters according to Figure 5, and click OK.

    To disable password authentication, select Disable the password login mode on the Bind Key Pair page, or edit the sshd_config configuration file.

    Figure 4 Bind Key Pair
  6. Log in to the ECS, and edit the sshd_config file to disable password authentication.

    vim /etc/ssh/sshd_config

    Press i to enter insert mode, and configure the data in last several lines according to the following figure.

    Parameter description:

    • PermitRootLogin: specifies whether to allow the root user to log in to the ECS. Set this parameter to yes.
    • UseDNS: specifies whether DNS resolution is allowed. Set this parameter to no.
    • PasswordAuthentication: specifies whether a login is authenticated using a password. Set this parameter to no.

    During key pair binding in step 5, you have selected "Disable the password login mode". Therefore, the PasswordAuthentication value should be no. You only need to verify it.

    Press Esc and enter :wq to save the changes and exit.

  7. Run the following command to restart sshd:

    systemctl restart sshd

  8. Attempt to log in to the ECS using Xshell or an SSH client. If password input is unavailable, as shown in Figure 5, the configuration is successful.
    Figure 5 Logging in to the ECS using Xshell

Editing hosts.allow and hosts.deny

The /etc/hosts.allow and /etc/hosts.deny files control remote access. You can configure these files to allow or deny the access from certain IP addresses or IP address ranges to a process running on the Linux ECS.

For example, if SSH is available only to the administrator, you can allow accesses only from the IP address ranges that may be used by the administrator.

The ECS may be logged in anywhere. Therefore, you are advised to allow accesses from all IP addresses in /etc/hosts.allow.

vim /etc/hosts.allow

Add sshd:ALL in the last line.

Identify ECS security risks using certain methods, for example, checking the SSH status, to detect risky IP addresses, and add them to /etc/hosts.deny to deny the access of these IP addresses.