If you are wanting remote access to an Ubuntu Server, the answer is SSH (Secure SHell). Ironically, SSH actually isn’t in the most secure configuration out of the box. Several of the servers I run are public facing, which means SSH particularly needs to be locked down.
So lets talk about locking down SSH. I found this article to be particularly handy:
http://www.rackspace.com/blog/securing-your-ssh-server/
There are two slightly more involved items on that author’s list, and there are two very easy items. I am going to deal with the very easy items because it is something everyone can do quickly and therefore should do as long as it fits their use-case.
First, please use a non-standard port for SSH access. Honestly… Don’t get me wrong, I completely agree with the author’s sentiments about “security through obscurity” not being an excellent/valid security practice. But this configuration item isn’t about thinking you have made your box Fort Knox… Rather, it is about keeping the millions of auto-hack scripts from constantly “beating” on the digital doors of your SSH service.
How do you change the port you ask?
Login to your ubuntu server, elevate your privileges with “sudo -s” and then edit the configuration file for SSH…
vim /etc/ssh/sshd_config
Find the following line:
And change “22” to some other random port you can remember and then save and close the file then restart SSH with:
Now, the next simple thing you can do is limit which users and/or groups can access the box via SSH. What follows next is based on some assumptions. First, you are running Ubuntu 13+, second, you want your user account to have ssh access, third you want all admin users to have SSH access. So, to proceed reopen your sshd_config file and add the following lines to the bottom:
Where “yourusername” is the username your are logged into the box as. The reason your are entering your username in the AllowGroups directive is because ubuntu by default creates a group that has the same name as the user and that is that user’s primary group. If you are using a non-default primary group you can add that group here or you can use the “AllowUsers” directive in the same manner and specify by username as shown below.
If you want to be user specific you can do so by:
Now, here is the sweet kicker for people that have following my Ubuntu Active Directory integration guide. Both the AllowGroups and AllowUsers configuration options work with Active Directory users and groups.
So if you active directory user is “jdoe” then add him to the AllowUsers. If John Doe is a Domain Admin and part of the “domain admins” security group, you can add that group the AllowGroups directive. The only caveat I would note is that Windows group names often have spaces in them. If that is the case for a group you want to add, use a carrot ^ instead of a space. So in my example it would be like this:
These two very simple things can help you quickly lock down your SSH service and everyone should be participating!