Skip to main content

Simple Security Implementations to Control SSH Access in Digital Ocean Droplet/VPS

Image by S. Hermann & F. Richter from Pixabay

By default Digital Ocean Droplet will allow root SSH access

When we first create a droplet in DO, DO will send us the credential access through our email and we can access the droplet using DO console easily.

After that we will change the password to our own password. Then whats next? Are we good to go?

Before we go in depth. Let us revisit what is a brute force attack.

A brute force attack is an attempt to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. - Kapersky

In case of droplet users, we need to secure our VPS from being attacked by brute force attack. On SSH brute force attack the mechanism is slightly different. The mechanism is

SSH brute-force attack, the mechanism is reversed. Instead of trying thousands of username and password combinations on a single server, the crooks try one username and password combination on thousands of servers. People use weak passwords which makes the attack feasible, and because every server registers just one failed login attempt at most, the hackers don't have to worry about any lockout mechanisms. - Cyclonis

Knowing this it is very important to do some configuration to our droplet/VPS, SSH service not to allow using default ssh port, password-based authentication, and root login!

Simple Security Implementations to avoid SSH Brute Force attacks.

I'm sharing this based on some articles that i read and experience in handling own website. You may give feedback on how you implement the security layer on your droplets / vps. I'll be happy to hear it out!

Change SSH port number

Update the ssh port number to a new number not using the default no which is 22.

By default, the SSH server still runs in port 22. However, there are occasions when it is run in a different port. Testing use is one reason. Running multiple configurations on the same host is another. Rarely, it may also be run without root privileges, in which case it must be run in a non-privileged port (i.e., port number >= 1024). - ssh.com

Let's change the configuration file first. 
$ vim /etc/ssh/sshd_config
# change the port number.
Port xxxx

Then we need to update our firewall rules to accept inbound  ssh connection from that port.

Add the new rule in our iptable rule file. eg 

$ vim /etc/iptables/rules.v4

# add this new rule
-A INPUT -p tcp -m tcp --dport xxxx -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# drop connection from port 22
-A INPUT -p tcp -m tcp --dport 22 -j DROP

and reload the rules.
iptables-restore < /etc/iptables/rules.v4

Using nmap tool we can verify that our port is filtered (22) and the new one is open.

$ nmap <targeted_host> -p 22

Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-06 12:44 +08
Nmap scan report for xxxxxx (xxxxxxxxx)
Host is up (0.062s latency).
Other addresses for xxxxxxx (not scanned): xxxxxxx

PORT   STATE    SERVICE
22/tcp filtered ssh

Nmap done: 1 IP address (1 host up) scanned in 0.93 seconds

$ nmap <targeted_host> -p xxxx

Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-06 12:53 +08
Nmap scan report for xxxx (xxx.xx.xxx.xxx)
Host is up (0.041s latency).
Other addresses for xxxx (not scanned): xx:xx:x:x:x:x:xxx:xxxxx

PORT      STATE SERVICE
xxxxx/tcp open  unknown

Use SSH Key

Instead using password to access our droplet, we can setup to only use SSH key. This will prevent brute force attacks that use password guessing mechanism.

Its easy to setup SSH key for root user in DO. You can go through these steps to generate your first SSH key & configure it properly on the droplet!

Ensure you have configure it properly and able to access the droplet successfully before we go to the next action.

Disable SSH password-based authentication

this is very easy.

Just update the ssh configuration file as below

$ vim /etc/ssh/sshd_config

#set the PasswordAuthentication to no
PasswordAuthentication no

#reload the ssh configuration
$ service sshd reload

done! this will ensure that any attempt to login using password will fail!

verify by running this command

$ ssh user@xx -o PubkeyAuthentication=no

#and you will get this error message
user@xx: Permission denied (publickey).

Disable the root user login!

Ok now you have learnt how change the default SSH port and setup SSH key for root user. Now there is still some risk, lets say hacker able to scan which port is open and able to grab our private ssh key (if we exposed the private key to public or not stored it securely) they will use root user to login, then booomed! We are in trouble. To lower this risk. what we can do  is actually create a new sudo user.

Thus when hacker uses this new user it might not have full super user privileged until it changed to sudo. Of course again, i will just let the server to always prompt for password when changing role to sudo. This is another precaution, to lower the risk of being exploited.

Create a new sudo user


to setup we will need to create a new sudo user

$ adduser <username>

# as user to sudo group
$ usermod -aG sudo <username>


then we follow the Use SSH Key setup (previous step) for the new user SSH keys

Verify the new sudo user can login and have sudo privileges

verify by login and run certain command that only can be run / access by sudo user.

eg 

$ ssh user@xxx
$ vim /etc/ssh/sshd_config

#try to edit and save
#if can save successfully that means that our sudo user is working properly.

Disable root user login.


# edit the configuration file
vim /etc/ssh/sshd_config

#change the PermitRootLogin to -> no
PermitRootLogin no

#reload ssh configuration
$ service sshd reload

Done! Now root user can no longer access the server through ssh!


Incase you forgotten sudo user password!

You can just login DO droplet via DO console and reset the user password!

Run the following command to reset the user password

$ passwd <username>

Summary

To add on you can also limit SSH access only from certain static IPs, however i believe some of us, might not have the luxury to spend money :( on a static IP.

It is very important for us to do at least some layer of security implementation to avoid our server from being an easy target and minimize its vulnerabilities.

Some interesting article on how can we try to do brute force attack on others website, or even our own :P

Feel free to comment down below! I'll try to help out!



Labels:

Comments

Post a Comment

Popular posts from this blog

Tutorial on Min3D framework using Android Studio

Salam peeps, UPDATES***, the model on the old link is no longer working. so i have create a github repo, where i put the source code in a project, you guys can try to clone in and run on your android studio device emulator or directly on your phone, Ive replaced the model with a cube. https://github.com/aliaramli/Min3DTutorial Previously i ve posted tutorial on min3D using eclipse IDE, i believe most of us has moved to Android Studio IDE in developing android apps? As previous tutorial shows a lot of support from readers and among hot post in my blog, i ve decided to post the same tutorial but this time using Android Studio. For those who are familiar with Eclipse/Android Studio migration they might not have problem in running this tutorial . For more detail explanation on min3D please visit this website page Ok lets get started. Step One Create a new android project in android studio. you may name it as what you like, below are how i defined my project settings.
23 comments
Read more

Tutorial on min3d framework

Salam all. This time I want to share a bit, how I tried out the mid3d framework for the first time. Acknowledge that I am new to android development.   I just follow the tutorial on Mat-d website but there are certain things that I don’t understand how they actually work. Thus I want to share what I did step by step to make this example work. For explanations on coding/steps or errors please visit Mat-d website here J you ll understand more …. mat-d original tutorial load a 3d obl model with min3d for android Step one . Download min3d into your eclipse . Select File>Import>SVN>Checkout projects from SVN Next. Choose radio button : Create a new repository location Next. Enter the svn location http://min3d.googlecode.com/svn/trunk the thing that we want to check out from the svn is the min3d framework code. Step two. Download obj file  www.3dvia.com …you need to register first..it has free acc version.. and download the followin
44 comments
Read more

Get the last active time from users in woocommerce using sql query

To easily get the last active time from users (under Woocommerce extended plugin) we can easily query from database using the meta_key of "wc_last_active" example query: select user_id, meta_value from wp_usermeta where meta_key= "wc_last_active" and user_id in (11111,112222); results: +-------------+------------------+ | user_id    | meta_value | +-------------+-------------------+ |   11111   | 1556755200 | |   112222 | 1566518400 |
1 comment
Read more