Before you start
This article has the following dependencies:
- Please be cautious when configuring your firewall in Plesk. Improper rules could prevent you or your site visitors from being able to access your server.
- The IP address 10.1.1.2 is used as an example in this article. To find your own IP address use a service such as http://whatismyip.com or http://ipchicken.com or check your router's info page.
READ ME FIRST
The publishing of this information does not imply support of this article. This article is provided solely as a courtesy to our customers. Please take a moment to review the Statement of Support.
If you're having trouble with the steps in this article, additional assistance is available via Advanced Support, our premium services division. For more information on what Advanced Support can do for you, please click here.
Securing SSH
By default, the SSH standard port number is 22. If you look at your logs, you might see a large number bad login attempts on that port. Changing this port number is a simple way to make your server more secure. To change the port number, login as root and run the following command:
vi /etc/ssh/sshd_configFind the line that says:
Port 22Change this line to another port number above 1024. Using a port number above 1024 prevents scans like nmap picking up ssh. In this example, we'll use port number: 3456.
Next, we want to use the more secure SSH 2 protocol. On the line underneath the port number, set the protocol to 2.
Protocol 2Save the sshd_config file and then restart sshd:
service sshd restartNow when you login via ssh, you will need to specify the custom port. In the example below, the custom port has been set to 3456.
ssh -p 3456 user@10.1.1.2TIP:
For additional security, you should disable direct root access to your server following this article: Disabling SSH login for root user.
Use the built-in Plesk firewall
Although you could edit the firewall from the command-line, it is much easier using Plesk's firewall instead. Navigate to Tools & Settings > Security > Firewall. If you have a static IP address, you can create rules so that the server will only allow access from your IP address at your home and/or office. For the example above (custom SSH port 3456), the following rule will only allow access from the IP 10.1.1.2:
Use only SFTP (Secure FTP)
Secure FTP is more secure than FTP since it uses the SSH protocol. Shell access must be enabled for each Plesk user for each account. In the setup page, select /bin/bash(chrooted) under the Shell access to server with FTP user's credentials. This user will now be able to login over SFTP. Remember to change the port in your FTP client if you changed the default port as discussed above. If you are sure you don't want users to login over standard FTP, you can also block this port via the Firewall module in Plesk as detailed in the screenshots above.
The following rules would apply:
Deny incoming from all on ports 21/tcp, 21/udp
You can further secure your FTP server if you have a static IP by allowing access only from your IP. If your static IP is 10.1.1.2, your rules would be:
Allow incoming from 10.1.1.2
Deny incoming from all others
Disable ping requests
By default, your server can be pinged by anyone, meaning it is discoverable. You can improve security by changing your firewall to only allow known IP addresses to ping your server. If your static IP is 10.1.1.2, change the rules under Ping Service in Plesk's default Firewall rules:
Allow incoming from 10.1.1.2
Deny incoming from all others
These are just a few steps that will tighten the security of your server.
Comments