use at your own risk! don't blame me, if you do s.th. wrong
(or if i had forgotten s.th. or have typos)
i'm going to explain this further. and i'm doing it for debian (if you have centOS - it should nearly be the same)
Change SSH-Port
- connect via SSH to your system the way you are used to
- open your sshd config with an editor of your choice. e.g.
Code:
nano /etc/ssh/sshd_config
- Search "Port 22" (should be at the top)
- Change the Number to any port that's free and you are willing to use. E.g. 224 or 228 or s.th. else
- Verify that you don't have any firewall in place, which will lock you out (i don't know if you have s.th. like this, so no code)
- Restart ssh service: service ssh restart
- don't close your terminal. Open a new one and try to connect via ssh and your newly defined code.
- If this login worked, you can close the first session.
Restrict Access to one (or many) ips:
so, there are now multiple possibilities.
- Using sshd_config
- editing /etc/ssh/ssd_config
Code:
nano /etc/ssh/sshd_config
go to the end of the file
add the following to allow the user jim to connect from the ips 11.22.33.56 and 141.212.133.36
Code:
AllowUsers jim@11.22.33.56 jim@141.212.133.36
(Wildcards are supported
- restart ssh-service (look obove)
- using IPtables (should work on all *nix-Systems):
- adding the allow-rule:
Code:
iptables -I INPUT -p tcp -s <your ip> --dport <portNr> -j ACCEPT
This will allow access via protocoll tcp and source <your ip> on port <portNr>
replace <your ip> with the ip you want to allow (also remove the <>)
replace <portNr> with the Port you have specified above (also remove the <>)
- now drop all other requests on the port
Code:
iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport <portNr> -j DROP
This will drop all requests coming from all IPs around the world on PortNr.
denying root-ssh-login
that's s.th. you really should do.
don't allow directly root-access to your system via ssh.
- Generate a user, if you don't have one already one
- Check if you can login with the new username, by opening a new ssh session
- Go to sshd_config
look out for "PermitRootLogin yes"
change this to
- now restart your ssh service
- to now gain access to your root-account, if needed, type
Debian will now ask you for the root-pw
- if you are using s.th. like deiban or sudolikeaboss use your command with sudo or type
Installing a gateway
Just go to a site who offer budget-VPS-Systems (the virtualisation doesn't matter)
look here:
VPS or here
Low End Box - Cheap VPS Hosting Providers Listing & Reviews
as for the gateway you absolutly don't need any hardware-requirements or traffic. So a very cheap package is enough. E.g. around 10-30$ a year. you only have to check, if you have a dedicated IP (though can be optional, but natted-access sure is some strange things to do)just take a look around around and read reviews.
Then let them install a default OS - (in my case debian)
now you can change the Port of your ssh-service, if you want (as above)
if you are now connected to your gateway open the ssh-connection to your server typing
Code:
ssh -P<PortNr> username@ipOrDomain
Make sure to allow access via your gatway-ip to your system. (prepare a backup solution, if the IP of your gateway will change - normally no problem with KVM / VNC access to the system)
Using a VPN
just in short, since i don't have anymore time now:
install openvpn - allow openvpn-connections.
Connect via openvpn & check connection.
only allow ssh-connections via the new setup network-range (you have to specify while installing openvpn)
edit
what i totally have forgotten:
there are always tools like fail2ban - but i think cpanel could have already added this to your system.
Moreover you can enable passwor-less login, but when you loose your keys, you can't access anymore - if your provider don't provide you with s.th. like VNC or KVM (since this would then be a local access, you can do it as you are used, since we haven't touched ssh_config)
(all the above should work with cpanel, but since i don't use s.th. like this, i don't really know
use at your own risk)
