Hello
I recently installed 2 vps by Almalinux 8 for C-panel and Jetbackup destination server
Each time I login via ssh, I see this tip:
Last failed login: Fri Mar 29 20:58:25 on ssh:notty
There were 107 failed login attempts since the last successful login.
In Almalinux of Cpanel, I changed the ssh from 22 to 793 (the cpanel team changed that) and firewall is configured
But I couldn’t use new ssh port on second machine for backups
I read many documents, I add to port number in /etc/ssh/sshd_config file, and also added rule in firewalld but stile I am login with 22 port number not with new port number.
Now I’m asking help in this:
1- How change the ssh port and hid that from bots and hackers that tried to log in?
2-how rename the “root” user to have maximum security?
3-the cpanel has fierwall but hackers find the ssh port ! is there anyway to secure that?
4-What else I can do for my 2 servers?
Firstly, once you install CPanel, it’s not really AlmaLinux anymore, as CPanel adds a bunch of its own things. So you should probably ask CPanel support.
Also, you will have adjust SELinux settings, assuming that SELinux is enabled. This page may help.
There are actually several writeups about non-standard sshd port on RHEL.
Essentially, there are three steps:
Tell sshd to listen some port
Tell SELinux to allow the sshd to listen on that port
Tell firewall to allow traffic from outside to reach the port
The user of ssh client must naturally specify the port, so that ssh knows to connect to other than port 22.
Do not rename the ‘root’. You do need a regular account on the machine that you can log in with. Then set up the account to use ‘sudo’. Set sshd so that nobody can log in as ‘root’. The sshd_config has option for that. Set sshd so that the regular account can log in only with ssh key-pair – not with password. Then nobody can get in even if they would guess the password – they need access to the private part of the ssh key-pair that is on your own computer and is protected with password, “passphrase”.
There are services, e.g. fail2ban, that can be set to run on the server. If sshd logs many failed login attempts from same address, then the fail2ban adds a firewall rule to block that address.
However, there is a simpler solution. Your computer that you do connect to the servers with ssh – does it have a public IP address that does not change? It is possible to set the firewall to have the ssh port open only for that address. Then everybody else is blocked by the firewall and their attempts never reach the sshd. However, if your address does change, then your access is blocked too.
The FirewallD (that is default front-end to firewall in RHEL and Alma) has concept of “zones”. Your IP address would be in one zone, “A”, and everyone else on second zone, “B”. Zone A would open the ports that your IP should be able to access and zone B would open only the ports that everyone else should be able to access.
You need to change the port in /etc/ssh/sshd_config, after this you needs to allow in your firewall the same port as you allow before.
exemple, if you use firewalld performe this command:
firewall-cmd --add-port= numberport/tcp --permanent
For best security allow one user only for access SSH services, using “AllowUsers” configuration on the sshd_config.
OBS: Make sure are you making tests for this configuration on virtual machine laboratories, perform the commands in prodution if you are safelly secured.