You can think of SSH as the frontend of your server. If it is not done properly, anyone can get in. I see freshmen and even experienced users get burned by SSH all the time. It is very useful; but, if not secured, can be dangerous.
Would you like to know why servers are hacked even with the firewall and antivirus in place? Most of the time it is not some sophisticated hack; it is someone who did not setup SSH correctly.
• Using default passwords - Yes, people still do this.
• Allowing root login - Once hackers get in, they get full access immediately.
• Not using key based login - Passwords can be brute forced, keys cannot be.
• SSH is open to everyone - Bots will keep trying to break in.
Once, I saw a client’s server hacked within a few hours because of a weak password, and they had the SSH open. It took me a while to cleanup and restore the image.
• Brute-force attacks, by trying multiple password guesses.
• Credential stuffing, using passwords leaked from other sites.
• Access of root login, where they can own and control the server with root access.
Why would a hacker go through so much trouble to hack into a server, when there are so many easy targets out there? There are so many examples of SSH misconfigurations, and THAT is why.
1. Disable root login. Create a separate admin account in order to have access to the server.
2. Implement key-based login, because it is safer than any user-password combo.
3. Change the default port for SSH. This will take additional time, but it will make hacking ssh harder for multiple hackers.
4. Restrict access to certain IPs, blocking unknown addresses.
5. Implement fail2ban or similar service, which automatically blocks an address after repeated failed login attempts.
These adjustments will make a great impact. I performed this on a vendor's server, and hacking attempts entirely ceased.
Would you like to know why servers are hacked even with the firewall and antivirus in place? Most of the time it is not some sophisticated hack; it is someone who did not setup SSH correctly.
Common SSH Mistakes
Below are the mistakes I see the most:• Using default passwords - Yes, people still do this.
• Allowing root login - Once hackers get in, they get full access immediately.
• Not using key based login - Passwords can be brute forced, keys cannot be.
• SSH is open to everyone - Bots will keep trying to break in.
Once, I saw a client’s server hacked within a few hours because of a weak password, and they had the SSH open. It took me a while to cleanup and restore the image.
Why Hackers Target SSH
Weak SSH is a great target because it can be easily hacked and broken. Hackers will utilize:• Brute-force attacks, by trying multiple password guesses.
• Credential stuffing, using passwords leaked from other sites.
• Access of root login, where they can own and control the server with root access.
Why would a hacker go through so much trouble to hack into a server, when there are so many easy targets out there? There are so many examples of SSH misconfigurations, and THAT is why.
How to Make SSH Secure
This is easy to fix. Here are my recommendations of what I do on every server.1. Disable root login. Create a separate admin account in order to have access to the server.
2. Implement key-based login, because it is safer than any user-password combo.
3. Change the default port for SSH. This will take additional time, but it will make hacking ssh harder for multiple hackers.
4. Restrict access to certain IPs, blocking unknown addresses.
5. Implement fail2ban or similar service, which automatically blocks an address after repeated failed login attempts.
These adjustments will make a great impact. I performed this on a vendor's server, and hacking attempts entirely ceased.