OpenSSH Security

These are the six most important tasks to secure your SSH server setup:

1. Use a strong password.
2. Change the SSH default port.
3. Always use protocol version 2.
4. Disable the root login.
5. Limit user access.
6. Use key-based for authentication.

Use a strong password

A password is a word or string of characters used for user authentication to prove identity or access approval to gain access to a resource. Keep it secret from those that are not allowed to access the server. Use a complex and long password, it should be easy to remember and unique according to you but not easy to guess for others. Don't use `admin123` or `admin` etc. that are easy to guess and don't use birthdays, the name of your wife etc. A good password should also contain special chars like '.!;/' (not just the characters a-c and 0-9). Use upper- and lowercase characters in the password.

Change the SSH default port

The default Post of the SSH service is 22, you should change that to make it less obvious that your server is running an SSH service. The SSH configuration file is located in /etc/sshd/ directory, you have to edit the config file /etc/ssh/sshd_config .

nano /etc/ssh/sshd_config

Search for the "Port" line:

Port 22

and change it to your favorite port number, example: 1337

Port 1337

Please choose a port that is not in use on your server yet. You can get a list of ports that are currently in use with the command:

netstat -ntap

This command results in a quite long list that shows all open ports and connections. If you just like to check if your desired port is available, use this command instead:

netstat -ntap | grep 4422

In this example, I'll check if port 4422 is free. If the command does not return a result, then the port is available and can be used for SSH.

Always use protocol 2

SSH has two protocol versions, the old protocol 1 which is insecure and the new protocol 2. So Always use protocol 2 for your ssh server, it is more secure than protocol 1. More Info Here.

Disable root login

You should disable the direct login for the root user because there are many brute force attacks against the name of the root superuser. IMPORTANT: test the SSH login with your alternate non-root user that you plan to use for ssh logins before you disable the root account.

PermitRootLogin no

After you set "PermitRootLogin" to "no", you can not login with root account anymore, although you use the correct password for root user.

Limit user

You should add a new user for login to your server. Assume that you have created the users ruiko and mikoto to login to your server, then you can add the new line:

AllowUsers ruiko mikoto

in /etc/ssh/sshd_config to limit SSH access to these users.

Use Key Based Authentication

I recommended you to use this option because this is very easy to setup and more secure than password-based authentication. First you have to create a public-private key pair on your local (desktop) computer, I use Linux to create it.

You can create the public / private key pair with this command:

ssh-keygen -t rsa -b 4096

It will create 2 files located in ~/.ssh/ directory, id_rsa as private key and id_rsa.pub as the public key. If it prompts for a password, you can leave it blank or type to your password. Using a password to protect your key is recommended.

Now upload the public key id_rsa.pub to your server with ssh-copy-id command.

ssh-copy-id -i ~/.ssh/id_rsa.pub user@serverip

It will automatically write your public key to the file ~/.ssh/authorized_keys/ in your server.

Now go back to your server and edit your ssh file configuration again.

nano /etc/ssh/sshd_config

Uncomment this line:

AuthorizedKeysFile     %h/.ssh/authorized_keys

and finally restart your ssh server:

systemctl restart sshd

Now try connect to your server:

ssh -p '4422' 'user@serverIP'

Conclusion

OpenSSH is the standard for secure remote access to *Unix-like servers, replacing the unencrypted telnet protocol. SSH (and its file transfer sub-protocol SCP) ensures that the connection from your local computer to the server is encrypted and secure. The base installation of OpenSSH is already quite secure, but we can improve it by following the above guide.

How to install ProFTPD on CentOS

1 Preliminary Note

This tutorial is based on CentOS 7.0 server, so you should set up a basic CentOS 7.0 server installation before you continue with this tutorial. The system should have a static IP address. I use 192.168.0.100 as my IP address in this tutorial and server1.example.com as the hostname. 

2 Install ProFTPD

2.1 Installation:

For this enable EPEL as follows:

rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm

We will first  install the ProFTPD and OpenSSL as follows:

yum install -y proftpd openssl proftpd-utils

We need to start the services

systemctl start proftpd.service
systemctl enable proftpd.service

Addition in CentOS 7.0 we need to configure Firewall-cmd for ftp service as follows:

firewall-cmd --add-service=ftp --permanent
firewall-cmd --reload

We can check the ProFTPD version as follows:

proftpd -v

[root@server1 ~]# proftpd -v
ProFTPD Version 1.3.5
[root@server1 ~]#

2.2 Creating ProFTPD Users

For this I will create a group ftpgroup and user srijan for ProFTPD. I will restrict the user srijan with home directory as /ftpshare

groupadd ftpgroup

Next I will add the user srijan in ftpgroup:

useradd  -G ftpgroup srijan -s /sbin/nologin -d /ftpshare
passwd srijan

[root@server1 ~]# passwd srijan
Changing password for user srijan.
New password: <--ftppassword
Retype new password: <--ftppassword
passwd: all authentication tokens updated successfully.
[root@server1 ~]# 

Next we need to make the directory protected from removing and renaming its content by any user, so we will change the directory permissions as follows:

chmod -R 1777 /ftpshare/

Now we are ready for ProFTPD connection

Now we can do login with the user srijan and password at ftp://192.168.0.100

3 Enabling TLS In ProFTPD

In order to enable TLS in ProFTPD, open /etc/proftpd/proftpd.conf before editing the file its better to make the original file backup and then edit the file as shown below:

cp /etc/proftpd.conf /etc/proftpd.conf.bak
nano /etc/proftpd.conf

Give the entries as shown

[...]DefaultRoot                     ~ !adm
PassivePorts    6000    6100
[...] 
#<IfDefine TLS>
  TLSEngine                     on
  TLSRequired                   on
  TLSRSACertificateFile         /etc/pki/tls/certs/proftpd.pem
  TLSRSACertificateKeyFile      /etc/pki/tls/certs/proftpd.pem
  TLSCipherSuite                ALL:!ADH:!DES
  TLSOptions                    NoCertRequest
  TLSVerifyClient               off
  TLSRenegotiate                ctrl 3600 data 512000 required off timeout 300
  TLSLog                        /var/log/proftpd/tls.log
#  <IfModule mod_tls_shmcache.c>
#    TLSSessionCache            shm:/file=/var/run/proftpd/sesscache
#  </IfModule>
#</IfDefine>
[...] 

I have added 6000 and 6100 ports for allowing passive mode of ftp, similarily I will allow the passive mode through the CentOS firewalld service as follows:

firewall-cmd --add-port=6000-6100/tcp --permanent
firewall-cmd --reload

We can check the ports status as follows:

firewall-cmd --list-ports

[root@server1 ~]# firewall-cmd --list-ports
6000-6100/tcp
[root@server1 ~]#

Additionally we need to tell SELINUX to allow the read/write of the files.

setsebool -P allow_ftpd_full_access=1

In order to use TLS, we must create an SSL certificate. I will create it in /etc/pki/tls/certs, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem

[root@server1 certs]# openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem
Generating a 1024 bit RSA private key
...................................++++++
.........++++++
writing new private key to '/etc/pki/tls/certs/proftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:<--DE
State or Province Name (full name) []:<--Hamburg
Locality Name (eg, city) [Default City]:<--Luneberg
Organization Name (eg, company) [Default Company Ltd]:<--ISPConfig
Organizational Unit Name (eg, section) []:<--Development
Common Name (eg, your name or your server's hostname) []:<--server1.example.com
Email Address []:<--info@example.com
[root@server1 certs]#

Give the above values in red as per your choice, I have just given an example.

Now for security purpose I will make the certificates only readable as follows:

chmod  0440 /etc/pki/tls/certs/proftpd.pem

Finally restart the ProFTPD service as follows:

systemctl restart proftpd.service

We can connect to the ProFTPD server with Filezilla software, you must have Filezilla installed at client to connect to the server. Open Filezilla and give the details as follows:

Details will be

Host = 192.168.0.100
Protocol = FTP
User = srijan
Port = can be blank if you have not customized it another port than 21
Password = ftppassword (just created above)

It will ask for trusting the certificates press OK

It will be connected to the FTP shared directory with TLS connection.

4 Anonymous ftp access in ProFTPD

We can make anonymous ftp account in ProFTPD, just add these entries in ProFTPD configuration file:

nano /etc/proftpd.conf

And add these entries at the last of the file,

[...]
###Anonymous share#####
<Anonymous ~ftp>
  User ftp
  Group ftp

UserAlias anonymous ftp
DirFakeUser       on ftp 
DirFakeGroup on ftp
MaxClients 10

    <Directory *>    
<Limit WRITE>     
DenyAll   
</Limit> 
    </Directory>

</Anonymous>

Now we need to restart the services:

systemctl restart proftpd.service

We have successfully connected to the server with Anonymous user.

Congratulations! Now we have successfully configured ProFTPD server environment in CentOS