Slicehost and Securing SSH

SliceHost and Affordable Linux Hosting

I’m trying out a new provider, SliceHost, for the upcoming Portland Open Coffee Club and Portland Open Beer Club web sites. SliceHost provides fast & affordable Linux VPSes with a variety of distros to choose from.

The one downside (for me at least) is that the distros come with nothing installed. Well, I shouldn’t say nothing (since SSH is on there), but no database, no web server, no ftp, no PHP, no mail. I was surprised when I first uncovered this, since I ordered an Ubuntu 8.04 server VPS & figured it would have a normal LAMP stack installed. But no, it’s a minimal Linux install. That’s so if you have specific needs, you can install exactly what you want & avoid installing anything you don’t. But if you’re more of a programmer than a sysadmin … well, you may want to check out RimuHosting for a VPS. Great support, nice VPSes, good upgrade path, & the boxes are ready for your PHP code.

Or if you want a bit more hand-holding, you can go with GoDaddy or Dreamhost. GoDaddy’s support is meh, but they’re easy to get started with and are fine for a small site. Dreamhost has better support, but recently I had a really bad performance experience with them & canceled my account.

So anyhow, this wasn’t supposed to all be about affordable Linux hosting providers — I was also going to mention securing SSH. 

Securing SSH

I’ve been following PickledOnion’s great Ubuntu setup guide, and it mentioned securing SSH by moving it to a different port (other than port 22). You can basically edit /etc/ssh/sshd_config, change the port number at the top, and then restart ssh with /etc/init.d/ssh restart.

Note: once you change the port, don’t log out of SSH right away! Instead, open a new SSH window & try connecting to your box on the new port. If it doesn’t work, you can go back to your previous still-open SSH window & troubleshoot.

Another option in /etc/ssh/sshd_config is to disallow root access, which is definitely a good idea. Although, if you end up SUDOing users so they have access to everything, then it doesn’t protect as much as you think, since someone who can log in as you could do almost as much damage as root, including editing /etc/ssh/sshd_config to switch the ports to something different and allow root back in.

An additional way to secure SSH is to edit your firewall to block most IPs from accessing SSH, and block any unneeded ports. I’ll refer you to the setup guide again … scroll down & you’ll see the section on iptables.

BTW, experienced Linux admins probably already know the above tips (plus more!), but I figured there’s a lot of people getting into Linux admin work these days, so some basic admin knowledge doesn’t hurt.

0

Written by DevelopmentNow -- May 9, 2008