Note: this is based on Ubuntu 14.04 LTS, but other distributions will provide similar support, but with different package names and file locations.
You’ve secured your VPS access with SSH and you’ve enabled public keys for all your accounts. What else can you do to deter intruders?
Changing your SSH server’s listening port
Some people recommend moving your SSH server to listen on a different port number to deter casual or automated attacks. Take a look in /etc/services and choose an unused number, 24 for instance.
Now, edit your SSHd config file (/etc/ssh/sshd_config on Ubuntu), and change the line that specifies the port to listen on:
# What ports, IPs and protocols we listen for Port 22
Change 22 to your new selection and save the file. Don’t forget to restart the SSH server:
sudo service ssh restart
This won’t add much to your overall security as any determined attack will find your SSH server in no time with a port scan. You’ll also probably curse yourself more than once because you forget to specify the port and can’t think why you can’t connect, or you forget to open the firewall and lock yourself out entirely until you resort to console access.
Do you really need to be able to access your VPS from _everywhere_? Do all of your user accounts need SSH access? Chances are you could restrict these and reduce your risk a little with some changes in the SSHd configuration file (/etc/ssh/sshd_config):
# Restrict access to root from known IPs and sshusers group only AllowUsers email@example.com firstname.lastname@example.org AllowGroups sshusers
I allow root access from home and work (IP addresses have been changed to protect the innocent) to run rsync backups of my VPS, but members of the sshusers group can connect from anywhere. If you didn’t need that you could just add the IP address to restrict the locations for everyone:
AllowUsers *@192.168.1.17 *@192.168.111.191
2FA – Two Factor Authentication
If you really do need access from (potentially) anywhere, then why not add another factor to your authentication? You might already have an app like Google Authenticator or Authy on your mobile phone, but did you know that you can easily use it with your SSH server?
There are three main steps: install the software to generate and check the keys, set up your authentication key, configure PAM and SSH on your VPS.
Installing the software
This should be as simple as installing a package on your system:
sudo apt-get install libpam-google-authenticator
If the Google Authenticator package is available in your distribution, you’re on your way.
Set up your key
The next step is to create a key for your user on your VPS and link that to the app on your phone (or other device). The previous step will have installed the google-authenticator command which you run to create a key for your user (you’ll need to do this for each user account that you want to be able to login).
Make sure the you answer ‘y’ to updating your .google_authenticator file, at least. It’s safe to answer ‘yes’ to all of the questions it asks (though you might not want single use tokens, rate limiting or a 4 minute validity window, dependent on your own preference and setup).
You’ll get a QR code that you can scan with your app, and some codes like this:
Your new secret key is: VNAA73ZT2INXNNX7 Your verification code is 898899 Your emergency scratch codes are: 57861391 29123972 12879039 35728133 39111523
If you’re using the Google Authenticator app, you can now select ‘Set up account’ from the menu and either scan the QR code or enter the key by hand.
Your app should now give you a 6-digit code every 30 seconds or so that you can use when you log in to your VPS using SSH.
Keep the emergency scratch codes in a safe place (not your phone), they’ll come in handy if ever you drop your phone in a river and lose access to your app.
Configuring PAM and SSH
This is the final step. First add the requirement for the authentication key to PAM’s SSH configuration in /etc/pam.d/sshd
Locate the following lines:
# Standard Un*x session setup and teardown. @include common-session
and add this after them:
auth required pam_google_authenticator.so
Now update your SSHd configuration in /etc/ssh/sshd_config. Find the line containing ChallengeResponseAuthentication; make sure there’s no # symbol at the start of it and set the value to ‘yes’. If you can’t find that line, just add the whole line to the file:
Make sure that you also have the following line in there somewhere:
You can also explicitly set the required Authentication methods, for example, to require a public key to be provided and a password to be entered for login:
When you’re done, restart the SSH server:
sudo service ssh restart
Now try logging in, you should get asked for your password, and then the verification code. Enter the verification code from your app, and you should be logged in.
It’s a good idea not to log out your initial session before making sure that your changes work.