Strengthen Your Tempest Server Security: Essential SSH Hardening Techniques
Ensuring the security of your server is crucial for protecting your valuable data and resources. Tempest provides excellent DDoS protection, but as a server administrator, you should also implement basic SSH security principles. In this article, we will discuss two practical options for hardening SSH on your server.
Before You Start
Upon receiving your new Tempest server details, whitelist and open port 22 in your firewall to access your server via SSH. Follow this guide to manage your firewall settings from the client area. After opening port 22, you should be able to reach your server within a few minutes.
Option 1: Whitelist Access to Port 22 (Easiest)
Whitelist access to port 22 for only your IP address, ensuring that any other requests are rejected. This method is simple and effective but requires a static IP or a VPN with an unchanging IP. If your IP changes, update your firewall rules to regain access to your server via SSH.
Option 2: Change Default Port and Enable Key-Based Authentication (Medium)
To prevent automated scans exploiting weak SSH security, change the default port from 22 to a new value (e.g., 1882) and enable key-based authentication. Follow these steps:
Update your server by running the appropriate commands for your Linux distribution.
Edit /etc/ssh/sshd_config to change the default port to your chosen value (e.g., 1882) and ensure the line is uncommented.
Update your firewall rules to open the new SSH port.
Restart SSH with the command service sshd restart.
Generate a strong SSH key (e.g., ed25519) on your local machine and add it to your SSH agent.
Copy the key to your Tempest server using the appropriate command.
Modify /etc/ssh/sshd_config on your Tempest server to disable password authentication for both root and non-root users.
Pros: This method prevents scanners from exploiting weak passwords by changing the port number and disabling password authentication.
Cons: Losing your key(s) means losing access to your server. Backup your private keys securely, typically found in ~/.ssh/ on your local system.
Implementing basic SSH security principles is vital for safeguarding your Tempest server. Choose the option that best suits your needs and comfort level with Linux servers. Remember, maintaining server security is an ongoing process that requires vigilance and attention.