By default Debian asks to set a strong root password. But this could be possible guessed by brute force. Here are some hints to secure your remote login.
Your root password will not become obsolete by following this hints. You will still need it for local recovery login.
1. Use a ssh key
To create a new key, run the following command. Be careful not to overwrite an existing key when entering the filename. The passphrase could be empty, if one prefer to login instantly without any interaction.
user@local:~$ ssh-keygen
Without any command line option a key with RSA 2048 will be generated. The key is stored in the directory ~/.ssh, which is only accessible by yourself (0700). Keep the private key secure, while the public part could be read by others. The private part by default is id_rsa (0600) and the public is id_rsa.pub (0644).
Finally the public key will be transfered to your remote system. At this time your your root password will be asked.
user@local:~$ ssh-copy-id root@remote
From now on, every login at your remote system will first try to match the remote public part with the local private part.
2. Disable root login
If the remote system is worldwide accessible by SSH, one will find a lot of password guessing attempts every second in /var/log/syslog/auth.log.
First create a new user, which will be used without a password, but with a key. Replace USER with your user name.
root@remote:~# adduser –ingroup users –disabled-password USER
Next the SSH directory is created. The authorized_keys will contain the public key, wich could be filled manually, or copy it from the root login.
root@remote:~# mkdir /home/USER/.ssh
root@remote:~# cp /root/.ssh/authorized_keys /home/USER/.ssh/
root@remote:~# chown -R USER:users /home/USER/
While the terminal with root privileges remains open (and will not be closed by SSH restart), a new additional connection to the remote server has to be established. This way one will not lock yourself out of the remote server.
Next the root login will be disabled in by editing /etc/ssh/sshd_config changing the “yes” in following part to “no”
PermitRootLogin no
Finally the SSH service will be restarted
root@remote:~# service ssh restart
Now the login with user root will be impossible, but the USER can login.
3. Work with sudo
Working with sudo is a nice way to control user access on group or command basis to grant root privileges.
root@remote:~# apt install sudo
By default all users which are part of he sudo group could execute this command, so add the sudo group to the new user.
root@remote:~# adduser USER sudo
But a password is still needed. To remove the password requirement, edit the configuration
root@remote:~# export EDITOR=vim
root@remote:~# visudo
And change the sudo group line, so no password is required if the new user requests sudo
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
4. Using fail2ban
Install fail2ban, which automatically detects brute force attempts to SSH and blocks its IP addresses with the help of iptables.
USER@remote:~$ sudo apt install fail2ban
Create a commented copy of the config to edit parts in jail.local
USER@remote:~$ sudo awk ‘{ printf “# “; print; }’ /etc/fail2ban/jail.conf | sudo tee /etc/fail2ban/jail.local
Do not forget to restart fail2ban after your changes.
root – Debian Wiki
SSH – Debian Wiki
Securing Debian Manual Chapter 5 – Securing services running on your system
How To Protect SSH with Fail2Ban on Ubuntu 14.04
