Enhancing Security for SSH Logins to Linux ECSs

Updated on 2024-11-04 GMT+08:00

View PDF

Linux ECSs are generally logged in using SSH. How can I ensure login security for password-authenticated Linux ECSs? This section uses CentOS 7.6 as an example to describe how to enhance security for SSH logins.

**Table 1** ECS configurations
Parameter	Example Value
Name	ecs-f5a2
OS	CentOS 7.6 64bit
EIP	119.3.xxx.x
Login mode	Password

Changing the Default Login Port

Remotely log in to the ECS using its password through SSH. For details, see Login Using an SSH Password.
Run the following command to change the default port for SSH logins, for example, to 5000:
vim /etc/ssh/sshd_config

Press i to enter insert mode. In line 17, delete the comment character (#) and change the port number to 5000.

Figure 1 Before the change

Figure 2 After the change
Press Esc and enter :wq to save the changes and exit.

Adding a Firewall Rule to Open a Specified Port

CentOS 7 series use the fireware firewall rather than iptables by default. Perform the operations described in this section only if Iptables has been installed on your ECS to open port 5000 for SSH logins.

Run the following command to check whether Iptables has been installed:
service iptables status
- If information similar to the following is displayed, Iptables has not been installed. In such a case, skip this section and proceed with Adding a Security Group Rule.
- If information similar to the following is displayed, Iptables has been installed, and it is in active state. Then, go to step 2.
Run the following command to add an Iptables rule to open port 5000:
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 5000 -j ACCEPT
Run the following command to check whether port 5000 is contained in the existing Iptables rules:
iptables -L -n

Adding a Security Group Rule

By default, port 22 is enabled in the inbound direction of a security group. After changing the SSH login port on your ECS to port 5000, add a rule for port 5000 to the security group.

Log in to the management console.
Under Compute, click Elastic Cloud Server. The ECS console is displayed.
Click the ECS name ecs-f5a2 to go to the page providing details about the ECS.
Click the Security Groups tab and then to show details about the security group rules. Click Modify Security Group Rule in the upper right corner of the table for the security group rules.
Add an inbound rule, as shown in Figure 3.
Figure 3 Security group rules

Changing Password Authentication to Key-Pair Authentication

Create a key pair on the management console, bind the key pair to your ECS to change the ECS login mode.

Log in to the management console.
Under Computing, click Elastic Cloud Server to switch to the ECS console.
Create a key pair by following the instructions provided in Creating a Key Pair, and keep the private key file secure.
Choose Service List > Security & Compliance > Data Encryption Workshop. In the left navigation pane, click Key Pair Service.
Click the ECS List tab, locate the row containing ecs-f5a2, and click Bind in the Operation column. Set parameters according to Figure 5, and click OK.
To disable password authentication, select Disable the password login mode on the Bind Key Pair page, or edit the sshd_config configuration file.

Figure 4 Bind Key Pair
Log in to the ECS, and edit the sshd_config file to disable password authentication.
vim /etc/ssh/sshd_config

Press i to enter insert mode, and configure the data in last several lines according to the following figure.

Parameter description:
- PermitRootLogin: specifies whether to allow the root user to log in to the ECS. Set this parameter to yes.
- UseDNS: specifies whether DNS resolution is allowed. Set this parameter to no.
- PasswordAuthentication: specifies whether a login is authenticated using a password. Set this parameter to no.
NOTE:

During key pair binding in step 5, you have selected "Disable the password login mode". The PasswordAuthentication value should be no. You only need to verify it.

Press Esc and enter :wq to save the changes and exit.
Run the following command to restart sshd:
systemctl restart sshd
Attempt to log in to the ECS using Xshell or an SSH client. If password input is unavailable, as shown in Figure 5, the configuration is successful.
Figure 5 Logging in to the ECS using Xshell

Editing hosts.allow and hosts.deny

The /etc/hosts.allow and /etc/hosts.deny files control remote access. You can configure these files to allow or deny the access from certain IP addresses or IP address ranges to a process running on the Linux ECS.

For example, if SSH is available only to the administrator, you can only allow access from the IP address ranges used by the administrator.

The ECS may be logged in anywhere. You are advised to allow accesses from all IP addresses in /etc/hosts.allow.

vim /etc/hosts.allow

Add sshd:ALL in the last line.

Click to enlarge

Identify ECS security risks using certain methods, for example, checking the SSH status, to detect risky IP addresses, and add them to /etc/hosts.deny to deny the access from these IP addresses.

Parent topic: Securing an ECS

Previous topic: Securing an ECS

Next topic: Using a Virtual IP Address and Keepalived to Set Up a High-Availability Web Cluster