×

This article covers methods of hardening SSH servers that help to avoid different security risks. With the advancements in technology, many business processes we carry out today heavily relies on the internet, online tools and connected devices. That is why taking the necessary precautions to ensure the network security has utmost importance. If an organization fails to secure their network, they are open to cyber attacks which can result in data breaches, losing digital assets, losing business and even going out of business.


How to secure SSH ?

If you want to make sure that your SSH server is impenetrable and secure, you should follow the steps below:

  • Set a custom SSH port. By default, SSH is set to be listening on port 22. Unfortunately, almost all cyber attackers know that. That is why changing it to something random like Port 821 offers an additional layer of security by obscurity.
  • Employ TCP wrappers. TCP Wrappers offer a host-based ACL protection that will allow you to sort out and filter who is able to access the SSH server.
  • Disable root login. Another default setting of the SSH server is that it allows root login on Unix and Linux operating systems. Since this feature can easily be exploited by the cyber attackers, we advise you to disable it.
  • Disable empty passwords. Again, in Unix and Linux operating systems, SSH server allows the users to create empty passwords which practically mean keeping the door open for intruders. Make sure that no user opts for an empty password by disabling the option.
  • Block SSH brute force attacks. In order to do so, you can opt for manually going through the system logs, detect the intruders and block them by using the firewall. Another (and much easier) method is using tools like Fail2ban, SSHGuard and such.



This article covers different ways of keeping SSH sessions alive and preventing them from needlessly timing out. These are handy tips that you can use especially when there are no associated risks with someone taking over your SSH session when you are away. SSH sessions will timeout and the client will automatically be disconnected from the server after being idle or inactive for a while. 


To Avoid SSH timeout from the server:

1. Edit SSHd configuration file using your favorite editor,

$ sudo vi /etc/ssh/sshd_config

2. Set these options as the followings:

TCPKeepAlive no 
ClientAliveInterval 30
ClientAliveCountMax 240

Here, the server will not send the TCP alive packet to check if the client's connection is working, yet will still send the encrypted alive message every 30 seconds. It will only disconnect after at least 2 hours of inactivity. 



This article covers steps to install and setup McAfee ENS Threat Prevention Standalone setup on a Linux system. McAfee is one of the best and most useful Antivirus product which is being used in the market. 



This article covers how to set up UFW on Ubuntu 18.04 system. It advised to deny all the incoming connections except necessary ports. Uncomplicated Firewall or UFW is an interface to iptables that is designed to simplify the process of configuring a firewall. While iptables is a firm and flexible tool, it can be sometimes tricky for beginners to learn how to use it to properly configure a firewall. If a user is looking to get started securing his or her network, UFW may be the appropriate solution.


UFW is installed on Ubuntu by default. If it has been uninstalled for some reason, we can install it with the following command:

$ sudo apt install ufw

By default, UFW denies all incoming connections and allows all outgoing connections. It means that a client trying to reach our server would not be able to connect. When an application from our server tries to connect any other server outside, it will be allowed. The following commands serve the purpose:

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing



This article covers how to create a new SSH key pair and set up an SSH key-based authentication. You can set up same key to multiple remote hosts on CentOS system. Also, you will learn how to disable SSH password authentication.

SSH, or secure shell, is an encrypted protocol used to administer and communicate with servers. When working with a CentOS server, chances are, you will spend most of your time in a terminal session connected to your server through SSH.

SSH keys are typically configured in an authorized_keys file in . ssh subdirectory in the user's home directory. Typically a system administrator would first create a key using ssh-keygen and then install it as an authorized key on a server using the ssh-copy-id tool.

The public key should be stored in the ~/. ssh/authorized_keys file on the server.


To Create the RSA Key Pair:

1. Execute the command below to create a key pair on the client machine (usually your computer):

$ ssh-keygen

2. Press ENTER to save the key pair into the .ssh/ subdirectory in your home directory, or specify an alternate path.


Best Practices to improve SSH Key Security:

  • Discover all SSH Keys and Bring Under Active Management.
  • Ensure SSH Keys Are Associated With a Single Individual.
  • Enforce Minimal Levels of User Rights Through PoLP.
  • Stay Attentive to SSH Key Rotation.
  • Eliminate Hardcoded SSH Keys.
  • Audit All Privileged Session Activity.



This article covers how to stop and disable FirewallD on your CentOS 7 system. Firewalld is a complete firewall solution that has been made available by default on all CentOS 7 servers. It is highly recommended that you have another firewall protecting your network or server before, or immediately after, disabling firewalld.


How to manage Firewalld ?

1. To disable firewalld, run the following command as root:

$ systemctl disable firewalld

2. To Stop Firewalld, execute the following command as root:

$ systemctl stop firewalld

3. To check the status of firewalld, run the following command as root:

$ systemctl status firewalld



This article covers how to change SSH port on your Linux system. SSH (Secure shell) is a cryptographic network protocol used to connect to a remote server securely and it transfer the data in encrypted form between the host and the client.

The default TCP port for SSH is 22, and by changing this default port to the other, it can prevent automated bots and malicious users from being brutally forced into the server.

Before changing the default SSH port number, can check the current port with the below command:

# netstat -ntlp | grep ssh


To change the SSH port:

1. Open the main SSH daemon configuration file /etc/ssh/sshd_config:

# vi /etc/ssh/sshd_config

2. Now search line begins with Port 22 and add hashtag (#) in front of that line. 

3. Then add a new Port line below with the custom port.

Note: Replace the sample port number with the custom port number that needs to be set.

4. Save and exit.


How to Restart the SSH daemon for the changes to take effect ?

Run the below commands to restart the SSH daemon and verify that the port changed:

# systemctl restart sshd
# netstat -ntlp | grep ssh



This article covers how to create a new SSH key pair and set up an SSH key-based authentication. You can set up same key to multiple remote hosts. Also, you will learn how to disable SSH password authentication. SSH stands for Secure Shell and works as a method to establish remote connections between computers. SSH is usually used to log in and manage a remote server.

SSH key pairs can be used to authenticate a client to a server. The client creates a key pair and then uploads the public key to any remote server it wishes to access. This is placed in a file called authorized_keys within the ~/. ssh directory in the user account's home directory on the remote server.


To Disable Password Authentication:

Disabling password authentication is a security precaution. It prevents brute-force attacks against attempting to log in to the server.

1. Start by logging into the remote server:

$ ssh user@hostname

2. Next, edit the sshd_config file in a text editor of your choice (we are using nano):

$ sudo nano /etc/ssh/sshd_config

3. Find and modify the following lines to look as follows:

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

4. Write the changes, then exit the editor. Restart the SSH service by entering the following:

$ sudo systemctl restart ssh



This article covers how to enable and disable root user account in Ubuntu system. Considered the most privileged account on a Unix system, root can perform any tasks needed for system administration.

Navigating a specific folder, killing any process or deleting a directory, root is so powerful that it has to be managed properly.


In order to change the root password, you have to use the "passwd" and specify the root account:

$ sudo passwd root

After changing your password, the account will be automatically unlocked.

In order to switch to the root account, you can use the well-known "su" command without any arguments (the default account is root):

$ su - 


To restart your SSH server for the modifications to be taken into account:

$ sudo systemctl restart sshd



This article covers how to configure and manage the FirewallD service on your CentOS system. A Linux firewall used to protect your workstation or server from unwanted traffic. You can set up rules to either block traffic or allow through. You can add or delete or update firewall rules without restarting the firewall daemon or service. The firewall-cmd act as a frontend for the nftables. In CentOS 8 nftables replaces iptables as the default Linux network packet filtering framework. 


To Start and enable firewalld, run the commands:

$ sudo systemctl start firewalld
$ sudo systemctl enable firewalld

To Stop and disable firewalld, run the commands:

$ sudo systemctl stop firewalld
$ sudo systemctl disable firewalld

To Check the firewalld status, run the command:

$ sudo firewall-cmd --state

To Command to reload a firewalld configuration when you make change to rules, run the command:

$ sudo firewall-cmd --reload

To Get the status of the firewalld service, run the command:

$ sudo systemctl status firewalld



This article covers how to Install phpMyAdmin with Apache on CentOS 7 system. phpMyAdmin is a database utility used for managing MySQL databases through a graphical web-based interface. It can be configured to manage a local database (on the same system), or a remote database (over a network).


To Install EPEL Repository:

1. Get access to the EPEL repository – the Extra Packages for Enterprise Linux, by running the command.

$ sudo yum install -y epel-release

2. Once that operation finishes, it's a good idea to refresh and update the EPEL repository.

$ sudo yum –y update


To Install Apache Web Server:

1. Install Apache on CentOS use the command.

$ yum install httpd -y

2. Verify the status of Apache by running with the command.

$ systemctl status httpd


To install PHPMyAdmin on CentOS, enter the command:

$ sudo yum -y install phpmyadmin



This article covers how to use the certbot Let’s Encrypt client to obtain a free SSL certificate and use it with Nginx on CentOS 7. 

Let's Encrypt is a new Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. 

Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx web servers.


To Install the Certbot Let's Encrypt Client:

1. Enable access to the EPEL repository on your server by typing:

$ sudo yum install epel-release

2. Once the repository has been enabled, you can obtain the certbot-nginx package by typing:

$ sudo yum install certbot-nginx


How to Install Nginx on CentOS ?

1. To install Nginx, run the command:

$ sudo yum install nginx

2. Then, start Nginx using systemctl:

$ sudo systemctl start nginx


How to configure firewall on CentOS ?

If you have a firewall enabled, make sure port 80 and 443 are open to incoming traffic.

1. If you have a firewalld firewall running, you can open these ports by typing:

$ sudo firewall-cmd --add-service=http
$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanent

2. If have an iptables firewall running, the commands you need to run are highly dependent on your current rule set. For a basic rule set, you can add HTTP and HTTPS access by typing:

$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT



This article covers how to install Let’s Encrypt SSL on Ubuntu 18.04 by using Certbot. Enabling an encrypted connection to the web server is fundamental because it allows you to use the secure HTTPS protocol for your website. Let's Encrypt, a Certification Authority issues a free certificate completely in line with the required security standards. Let's Encrypt simplifies the process for installing the security certificate to help even the less experienced user secure a website through the use of the Certbot client.


To Install Certbot client on Ubuntu:

1. First, add the Certbot repository:

$ sudo add-apt-repository ppa:certbot/certbot

You'll need to press ENTER to accept.

2. Install Certbot's Apache package with apt:

$ sudo apt install python-certbot-apache



This article covers how to secure Apache with Let's Encrypt SSL on CentOS 7 using Certbot client. Also, you will learn how to set up a cronjob for automatic certificate renewal. Basically, A security certificate is critical for securing traffic sent from web browsers to web servers. Let's Encrypt certificate is a free, open and automated certificate authority that you can use to encrypt your site. The certificate expires after every 90 days and auto-renews at absolutely no cost.


To Install Certbot in CentOS 8.

Certbot is a client that automates the installation of the security certificate. It fetches the certificate from Let's encrypt authority and deploys it on your web server without much of a hassle.

1. Before downloading certbot, first, install packages that are necessary for the configuration of an encrypted connection:

$ sudo dnf install mod_ssl openssl

2. Download certbot using the curl command:

$ sudo curl -O https://dl.eff.org/certbot-auto

3. Next, move the certbot file to the /usr/local/bin directory and assign the execute file permissions:

$ sudo mv certbot-auto /usr/local/bin
$ sudo chmod 755 /usr/local/bin/certbot-auto


To Assign the permissions to the Document root of a domain:

$ sudo chown -R apache:apache /var/www/domain.com

For the changes to come into effect, restart the Apache service:

$ sudo systemctl restart httpd



This article covers how to use certbot client of Let’s Encrypt to obtain SSL certificate for you domain.

To set these up DNS records for your server, you can follow these instructions for adding domains and then these instructions for creating DNS records:

  • An A record with your_domain pointing to your server’s public IP address.
  • An A record with www.your_domain pointing to your server’s public IP address.


To install Certbot as a snap on Debian

You must first have snapd installed on your server. 

snapd is a daemon required to install, use, and manage snaps. 

Installing the snapd package will also install the snap command on your server.

1. To install snapd, update your local package index if you've not done so recently:

$ sudo apt update

2. Then install the snapd package:

$ sudo apt install snapd

After running this command, you'll be prompted to confirm that you want to install snapd and its dependencies.

Do so by pressing Y and then ENTER.

3. Next, use the snap command to install the core snap. This will install some dependencies on your server that are needed for any snap you install, including the Certbot snap:

$ sudo snap install core

4. Then refresh the core snap. Doing so will ensure that you have the latest versions of snapd and its dependencies installed:

$ sudo snap refresh core

Following that, you can install the certbot snap with the following command.

5. Because Certbot must be allowed to edit certain configuration files in order to correctly set up certificates, this command includes the --classic option. This confinement level allows any snaps installed under it the same access to system resources as traditional packages:

$ sudo snap install --classic certbot

6. Create a symbolic link to this file in the /usr/bin/ directory to ensure that you can run the certbot command anywhere on your system:

$ sudo ln -s /snap/bin/certbot /usr/bin/certbot



This article covers method to Upgrade Ubuntu 16.04 to Ubuntu 18.04. If you are still using Ubuntu version 16.04, you may want to consider updating to the latest Long Term Support release, version 18.04.


What does LTS or Long Term Support Release Mean?

A Long Term Support release or LTS release, means that Ubuntu will support the version for five years. 

If you are running a production environment, you will likely want to use a Long-Term Support version of your preferred server operating system.


What is New in Ubuntu Version 18.04:

1. Depending on when you installed Ubuntu version 16.04, the Linux kernel used would have been anywhere from version 4.4 to 4.10. Version 18.04 uses Linux kernel 4.15 at launch.

2. Linux kernel 4.5 now includes new features like CPU controller for the cgroup v2 interface, AMD secure memory encryption support, the latest MD driver with software RAID enhancements, and improved power management for systems with SATA Link Power Management.

3. The new kernel also includes some Ubuntu-specific updates, Linux security module stacking support, and the signing of POWER host and NV kernels is now supported.

18.04 does not install Python 2 default, and it updated Python version 3 to version 3.6.

4. Apache updates to version 2.4.29 and supports HTTP/2.

5. Nginx updates to version 1.14.0.

6. PHP updates from version 7.1 to 7.2.

7. The ifupdown network manager is removed on new installs and is deprecated. netplan.io is the new network configuration manager.

8. OpenSSH now refuses to use RSA keys smaller than 1024 bits. This command can report the length of a key.

ssh-keygen -l -f /path/to/key.pub

32-bit PowerPC support has been dropped.

9. The Subuquity server installer brings live sessions and fast installs of Ubuntu Desktop to server users.

10. Ubuntu 18.04 ships with LXD system container manager version 3.0. Version 3.0 of LXD allows for clustering of LXD servers, adds support of NVIDIA run-time pass-through, and lxd-p2c is a new tool that turns existing systems into LXD containers.


To Upgrade Ubuntu from 16.04 to 18.04:

1.  Create a backup of your environment.

2. Run the command below to update and upgrade the packages.

$ sudo apt-get update && sudo apt-get upgrade

3. To add the Update Manager to your server add command below to your terminal.

$ sudo apt install update-manager-core

4. Now that you have created a backup installed package updates and have the upgrade manager you are ready to upgrade Ubuntu.

$ sudo do-release-upgrade

5. To check what version of Ubuntu is currently installed use the command below.

$ lsb_release -a



This article covers how to setup an SSH key-based authentication as well how to connect to your Linux server without entering a password.
To set up a passwordless SSH login in Linux all you need to do is to generate a public authentication key and append it to the remote hosts ~/.ssh/authorized_keys file.

To Disable SSH Password Authentication
To add an extra layer of security to your server you can disable the password authentication for SSH.
Before disabling the SSH password authentication make sure you can log in to your server without a password and the user you are logging in with has sudo privileges.
The following steps describe how to configure sudo access:
1. Log into your remote server with SSH keys, either as a user with sudo privileges or root:

# ssh sudo_user@server_ip_address

2. Open the SSH configuration file /etc/ssh/sshd_config, search for the following directives and modify as it follows:

/etc/ssh/sshd_config
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

3. Once you are done save the file and restart the SSH service.
On Ubuntu or Debian servers, run the following command:

# sudo systemctl restart ssh

On CentOS or Fedora servers, run the following command:

# sudo systemctl restart sshd



This article covers the installation of Fail2ban and the configuration of an sshd filter. There are so many options to configure but we focused on the basic ones. Feel free to peruse the Fail2ban man pages by running man fail2ban to discover what more you can do with it.

Fail2ban is a free, open-source and widely used intrusion prevention tool that scans log files for IP addresses that show malicious signs such as too many password failures, and much more, and it bans them (updates firewall rules to reject the IP addresses). 

By default, it ships with filters for various services including sshd.


To install  and configure Fail2ban on CentOS/RHEL 8:

1. After logging into your system, access a command-line interface, then enable the EPEL repository on your system:

# dnf install epel-release

OR

# dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

2. Afterward, install the Fail2ban package by running the following command:

# dnf install fail2ban

3. To start and enable the fail2ban service for now and check if it is up and running using the following systemctl command:

# systemctl start fail2ban
# systemctl enable fail2ban
# systemctl status fail2ban



This article will guide you on how to #install and configure #HAproxy load balancer on the #Linux system. 

You will learn the basic setup and configuration of HAproxy as a load balancer for #Apache web servers. Also, we looked at some commands for managing the HAproxy server. In the end, we tested the load balancing through the browser and the #curl command. 

HAProxy is free, open source #software that provides a high availability #load #balancer and proxy server for #TCP and HTTP-based applications that spreads requests across multiple servers.

To Deploy on Linux :

1. Download the source code of HAProxy.

2. Unzip the file into the desired location tar xvzf haproxy-1.8-dev1.

3. Compile the source code.

4. Create config file haproxy.cfg with the configuration details.

5. Start the haproxy with ./haproxy -f haproxy.

6. Access the status page on http:localhost:9999/stats.



This article will guide you on how to run commands as root user using nonuser, su, and sudo utilities.




More Linux Tutorials

We create Linux HowTos and Tutorials for Sys Admins. Visit us on IbmiMedia.com

Also for Tech related tips, Visit forum.outsourcepath.com or General Technical tips on www.outsourcepath.com