1. Securing SSH:

By default the SSH standard port number is 22. If you look at your logs you might see a large number bad login attempts on that port.  Changing this port number is a simple way to make your server more secure. To change the port number login as root and run the following command:

vi /etc/ssh/sshd_config

Port 22

Change this line to another port number above 1024. Using a port number above 1024 prevents scans like nmap picking up ssh.

Next we want to use the more secure SSH 2 protocol. On the line underneath the port number set the protocol to 2

Protocol 2

Save the sshd_config file and then restart sshd:

/etc/init.d/sshd restart

Now when you login via ssh you will need to specify the custom port. In the example below the custom port has been set to 3456.

ssh -p 3456 user@10.1.1.2

 2. Use the built-in Plesk firewall:

Although you could edit the firewall from the command-line it is much easier using Plesk's firewall instead.  Just navigate to Modules > Firewall. If you have a static IP address you can create rules so that the server will only allow access from your IP address at your home and/or office.  For the example above (custom SSH port 3456) the following two rules will only allow access from the IP 10.1.1.2:

 3. Use only SFTP (Secure FTP)

Secure FTP is more secure than FTP since it uses the SSH protocol.  Shell access must be enabled for each Plesk user for each account.  In the setup page select /bin/bash(chrooted) under the Shell access to server with FTP user's credentials.  This user will now be able to login over SFTP.  Remember to change the port in your FTP client if you changed the default port as discussed above.  If you are sure you don't want users to login over standard FTP you can also block this port via the Firewall module in Plesk as detailed in the screenshots above.  The following rules would apply:

Deny incoming from all on ports 21/tcp, 21/udp

You can further secure your FTP server if you have a static IP by allowing access only from your IP. If your static IP is 10.1.1.2 your rules would be:

Allow incoming from 10.1.1.2
Deny incoming from all others

4. Disable ping requests:

By default your server can be pinged by anyone, meaning it is discoverable.  You can improve security by changing your firewall to only allow known IP addresses to ping your server. If your static IP is 10.1.1.2 change the rules under Ping Service in Plesk's default Firewall rules:

Allow incoming from 10.1.1.2
Deny incoming from all others

These are just a few steps that will tighten the security of your (dv) Dedicated-Virtual Server.  Please feel free to comment with additional feedback and we will add those in future revisions.

Notes/Supplemental Resources:

• Parallels Plesk Control Panel 8.4 for Linux/Unix Firewall Module Administrator's Guide
• Disabling SSH Login for root user

Revisions:

06-30-2008: Article Creation with inspiration from an article at shapeshed.com