There are several steps that you can take to harden the security of your server.

Using RunCloud Dashboard

Configure Key-Based SSH Authentication

  • Generate an SSH key pair if you haven’t already using the ssh-keygen command on your local machine.
  • Copy your public key (id_rsa.pub) to the server for the desired user account. We strongly recommend using RunCloud’s SSH vault for this. We have written an in-depth post on configuring SSH vault on RunCloud.

Update SSH Configuration

After adding the SSH keys, it is recommended to turn off password-based logging in, and deny the login requests for the root account. You can do this easily by navigating to the “SSH” tab on the RunCloud dashboard, and then switching to the “Config” sub menu.

On that screen, click on the boxes next to “Passwordless login” and “Prevent root login” if they are unchecked, and then click “Save Config” to deploy the changes.

SSH configuration RunCloud dashboard

Just by enabling the above two features, you have significantly improved the security of your server. Advanced security features such as Fail2ban and Firewalld are turned on by default on RunCloud. This blocks any IP address that repeatedly makes failed login attempts on your server.

Editing The sshd_config File via CLI

The settings provided in RunCloud dashboard are good enough for the vast majority of users. However, if you are comfortable with using a CLI, you can further enhance security by editing the SSH file directly.

Log in to your server via SSH and edit the /etc/ssh/sshd_config using your favorite text editor (such as vim or nano). You’ll need super user permissions to do this. After logging in, apply the following configurations:

  1. Set AllowTcpForwarding to “no” if you don’t need remote port forwarding.
  2. Set PermitEmptyPasswords to “no” to disallow empty passwords.
  3. Change the default SSH port (Port) to a non-standard port for added security.
  4. Disable any unused SSH features or protocols such as SSH1 protocol (Protocol 2) or X11 forwarding (X11Forwarding no).
  5. Set a reasonable SSH connection timeout by configuring ClientAliveInterval and ClientAliveCountMax in sshd_config. This will automatically disconnect idle SSH sessions.
  6. Restrict SSH access for specific users by following these steps:
    • Look for directives such as AllowUsers or DenyUsers. If these directives are not present, you will need to add them.
    • Add the usernames of the users you want to limit or allow SSH access for. For example, if you want to limit access to users “user1” and “user2”, add the following line: AllowUsers user1 user2
    • Alternatively, if you want to deny access to specific users, you can use the DenyUsers directive instead.
    • You can also restrict logins based on IP addresses. For example, in the following configuration, john can log in only from IP addresses starting with 192.168.1.xx whereas amy can log in from anywhere. On the other hand, sam can’t log in, ever!
  7. Save the configuration file and exit the text editor.
  8. Restarting the SSH service ensures that the changes you made to the SSH configuration take effect. You can restart the SSH service by running sudo service ssh restart.
SSH configuration RunCloud CLI

Note: It’s always a good practice to create a backup of the SSH configuration file before making any changes. This allows you to revert to the previous configuration if something goes wrong.

After completing these steps, only the specified users will be able to access SSH on the system, while other users will be denied SSH access.

It’s important to test the SSH access for the limited users to ensure the configuration is working as intended. Monitor SSH logs for any suspicious activity or failed login attempts, which could indicate brute-force attacks. The SSH logs can be found in /var/log/auth.log.

Even after hardening your server, it’s always a good idea to regularly update and patch your server. Refer to our in-depth post about updating your RunCloud server.