-2

For security reasons I want to turn off SSH when I don't use it and turn it on again via a VNC connection as I can connect to my web server remotely over the Digitalocean control panel's console instead, and turn on SSH that way.

Is below the best way of doing it?

sudo stop ssh
sudo ufw deny 22

And turn on SSH via VNC

sudo ufw allow 22/tcp
sudo start ssh

Or should I use any of the below variants?

sudo service ssh stop
sudo systemctl stop ssh
sudo /etc/init.d/ssh stop

I'm on a UBUNTU 16.04 LTS server. And I want to disable SSH for all users, not only for root.

Gabriel
  • 5
  • 1
  • 4

4 Answers4

4

Why would you do that? It's way more elegant to harden your SSH. Few tips:

  • dont use root for ssh
  • set AllowUsers directive and list your account in there - that way only you will be allowed to ssh
  • create a 4096 bit rsa key (or 512 ecdsa), don't use password authentication for your ssh session
  • set up a firewall rule to allow incoming connections on port 22 only from your ip address
13dimitar
  • 2,360
  • 1
  • 12
  • 15
  • I have already done all that. I just wanted to harden a bit more, as it's a quite easy thing to just disable and enable when you need it. – Gabriel Feb 04 '17 at 11:52
  • Or I have just done your first three points actually, as I change IP address to often from different devices, and I am in different countries also so it becomes too complicated to only allow SSH on certain IP addresses. – Gabriel Feb 04 '17 at 12:02
  • I would add: disable password authentication. – Mircea Vutcovici Feb 04 '17 at 17:09
1

Having stopped the ssh daemon/service you just need to disable it too. You can do that with systemctl

systemctl disable ssh
user9517
  • 114,104
  • 20
  • 206
  • 289
1

The easiest way to accomplish what you are trying to do is to use fwknopd. I use fwknopd to open ssh service on-demand when I need it and only for my client host IP. By default, I have firewall rule to deny ssh from all IPs. When I need to ssh into my server, I use fwknop client to open ssh port (actually I use a non-standard ssh port to keep script kiddies away) and stay open for a short time (you can configure to stay open whatever time duration you want) which allows me to ssh into my server. fwknopd will close the port after the configured time expires but you can continue to have ssh session for as long as you like.

fwknopd - Firewall Knock Operator Daemon

Here is how it works.

Server side (before)

root@gorilla:~# iptables -n --list |grep 8.8.8.8

Client side (note: 8.8.8.8 is an example for my client host IP) 

arul@cheetah$ fwknop -A tcp/22 -a 8.8.8.8 -D <my_servers_public_ip>
Enter encryption key:

Server side (after)

root@gorilla:~# cat /var/log/syslog|grep 8.8.8.8
Feb  4 09:28:36 gorilla fwknopd[1191]: Added Rule to FWKNOP_INPUT for 8.8.8.8, tcp/22 expires at 1486222476

root@gorilla:~# iptables -n --list |grep 8.8.8.8
ACCEPT     tcp  --  8.8.8.8              0.0.0.0/0            tcp dpt:22 /* _exp_1486222476 */

Note: You have to open UDP port 62201 for fwknop client to talk to fwknopd.

Arul Selvan
  • 1,338
  • 12
  • 11
0

set AllowGroups directive and list your users account in there - that way only you will be allowed to ssh

Wagner
  • 1