While directly logging into a server as root is certainly easy it is not the best choice from a security standpoint. Disabling direct root logins is not something that instantly makes a server impervious but it does help fight against petty brute force script kiddies. There are two options when disabling direct root login, one is to have them completely disabled and the other is to have it only with an ssh key. Make SURE that you add another user you can ssh into. If you are using cPanel use WHM --> Manage wheel users and add your user. Once logging in you can do "su -" you will gain full root access and be able to do your normal administrative commands. Make sure you use su - and not simply su, without the - you will not be on the root path and not have access to all commands.
First open up the ssh config:
nano /etc/ssh/sshd_config
PermitRootLogin
You will want to set it to either PermitRootLogin no or PermitRootLogin without-password. Once done simply save and restart sshd
service sshd restart
Thats it!
Port Knocking
Another way I found to secure sshd is with port knocking.
On a debian box I had to do a little modifications to the an existing rc.firewall
Firewalls general have -A For example...So I used -I to make sure my knock rules are INSERTED at the TOP of the rules chain tables thingy.. o)
Since all firewalls are different your going to really need to figure out the logic on your personal one.
Since we are trying to lock down port 22 (or if you changed yours to another number) To at least give an example ANYWAY.... I used this exact firewall
http://www.ledow.org.uk/linux/2.0final/
And got it running and made sure it starts and stops okay. (Go slow eh, take your time, relax, we are not in a hurry)
On my EXAMPLE server I had a ircd (port 6667) webserver (port 80) and sshd (port 22) only running. And they run behind the nice IPCop http://ipcop.org Anyway, so for this I
PERMIT="80/tcp 6667/tcp"
Note that I specifically don't open port 22!
Down in this rc.firewall we SEE..
# Flush all iptables rules and delete all user-defined chains including nat and mangle tables if they exist.
iptables -t filter -F
iptables -t filter -X
# The next line is what I added to get port knocking going.
# ipbansync (long story, this a special script I use for banning bogons and spiders but I won't get into it here excpt to say that this is *ITS* entry point. It's commented out for you all.)
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 22 -j DROP
# iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6667 -j DROP (say you want to port knock for IRC also... Commented out for this story.)
/etc/knock.conf
[options]
logfile = /var/log/knockd.log
[openSSH]
sequence = 8888,9999,4444
seq_timeout = 5
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 4444,9999,8888
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
Oh yeah -- crap, you need knockd ;o)
apt-get install knockd
boom that's done..
Poof we edit our...
/etc/knock.conf
[options]
logfile = /var/log/knockd.log
[openSSH]
sequence = 8888,9999,4444
seq_timeout = 5
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 4444,9999,8888
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
poof for say a windows box you can make some nice batch files.. Put them and knock.exe in your path eh...
(Get all this cool files and stuff from
http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki)
Anyway here's a pair of batch files for open/close port 22
C:\%YOURPATH%\o22.bat
knock 192.168.10.40 8888 9999 4444
exit
C:\%YOURPATH%\c22.bat
knock 192.168.10.40 4444 9999 8888
exit
Remember to restart knockd after you edit your /etc/knockd.conf
Hope you all got all that. I love this setup personally, Sure you can lock down sshd all you want, but to actually have the whole port gone rocks the best.
notes:
Now maybe one day I can learn SPA (Single Packet Auth) but not today.
The ipbansync / ipbanunsync thing basically is a hack
from early ipcop projects that I modified to allow automated things to ban stuff, and to do a CIDR bogon list and other good stuff, it basically takes the place of your FINE apf firewall and bfd from the excellent rfx-networks author...In whatever it is that I hacked up (I am specifically not tellin ya, I know...its cause I always get into an argument about why I only need mod_security and not a ban list. Let's just say I don't care what those "experts" say sometimes. (cough)), I always use -I (instead of -A) to insert the rules at the top of the list chain table thingys. So if you find a cool script that you hack up that can monitor logs and grep out bad guys and feed it to your >> banlist then ipbansync synchronizes this list. (Also with this method it keeps the rule logic out of your port knocking hair, and it also allows you to spew files all over your filesystem to places where crackers ain't gonna look. NO need to make it easy..)
I highly suggest mod_security2 as that is really cool and catches tons of stuff. But it can be a pain in the rear to get working and then get the rules debugged. (For example I couldn't even load my own webserver at first!! heh heh)
I am a heavy drupal advocate. All these things I am talking about work fine with Drupal (Although like I said you're be need to debug your mod_security2.)