Over a million developers have joined DZone.

11 Steps to Secure Your Servers Parts 6 and 7: SSH Agents and Locking the Root Account

Part 6-7 of a series of posts on server security from Inversoft's 2016 Guide to User Data Security discusses how to enable SSH agents and lock your server's root account.

· Performance Zone

Evolve your approach to Application Performance Monitoring by adopting five best practices that are outlined and explored in this e-book, brought to you in partnership with BMC.

This is part 6-7 of a series of posts on server security from Inversoft's 2016 Guide to User Data Security.

SSH Agents

You might be wondering what will happen if you SSH to the Application Server and then try to SSH from there to the Database Server. By default, you won't be able to do this because your private key won't be on the Application Server. However, SSH has a feature that allows you to accomplish this without copying your private key all over the place.

The feature you will use is called SSH agent. By enabling an SSH agent, you will be able to log into any server that has your public key setup in the authorized_keys file (as long as you start from a computer that has your private key).

To setup an SSH agent, add your private key to the agent by running this command:

$ ssh-add

This will add your default private key to the SSH agent.

NOTE: If you are on a Mac, you don't need to run this command. OSX will automatically prompt for your private key passphrase and add this key to your SSH agent.

You need to enable your SSH agent when you SSH to a server. To do this, you will use the -A option like this:

$ ssh -A -i server_rsa your-username@

You can also add an alias for the SSH command to automatically add the -A option in your shell's configuration file.

Locking the Root Account

Disable the root user's login to prevent users from trying to brute force attack the root user if they ever gain access to the server. You might be concerned that if you lock the root account you won't be able to administer the server easily. Even if the root user account is locked, you'll still be able to use the root account via the command "sudo su -", but you won't be able to log in directly to the root user's account. To lock the root user's login, type this command into the root user terminal:

$ usermod -p '*' root

Find our Github project here: https://github.com/inversoft/2016-security-scripts. This project contains a set of scripts you can execute from your local computer to secure a remote server. 

Learn tips and best practices for optimizing your capacity management strategy with the Market Guide for Capacity Management, brought to you in partnership with BMC.

ssh ,server ,secure ,security best practices ,secure coding ,root access

Published at DZone with permission of Kelly Strain. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}