Looking for an easier way to configure SSH on your data center servers? How about Webmin? Jack Wallen walks you through some of the options for better SSH security using this web-based GUI.
Nearly every Linux server I administer is done via SSH. Given that I've been working with Linux for over 20 years, configuring SSH with an eye on security is pretty simple for me. But most often I'm doing this on smaller deployments, where there might only be a handful of users that have to gain access to the server. With these machines, I tend to take care of the SSH configuration manually (as in editing the ssh_config and sshd_config files via a text editor).
SEE: Security incident response policy (TechRepublic Premium)
But what if you're working with larger deployments in data centers? You probably don't want to have to take care of those configurations using nano or vi. And if you already have Webmin deployed, you have the means to make those configuration changes considerably easier.
Let me show you how.
What you'll need
To make this work, you'll need Webmin installed on your distribution of choice. I've already covered how to install Webmin on Ubuntu and Rocky Linux. Give those articles a read to get Webmin up and running on your server distribution of choice. Once you have Webmin up and running, you're all set to configure SSH.
How to configure SSH via Webmin
Log into Webmin and then click the Webmin tab and then expand the Servers entry (Figure A).
In the SSH section (Figure B), click Authentication.
The first thing you'll do is select No for Allow Login by Root (Figure C). Once you've done that, click Save. If you plan to set up SSH key authentication, you'll want to leave Allow Authentication by Password set to Yes until you get your key authentication set up for all users that remote into that server.
Click Return to Module Index and then click Access Control. In this window (Figure D), you can configure which users and groups are allowed to access the server via SSH.
If you opt to go the group route, you'll need to first create the new group and add users to the new group. This is all taken care of in System | Users, and Groups. Say, for instance, you've created a new group called editorial and added the necessary users. Once you've done that, go back to the SSH Access Control, click the check box to the right of All (associated with Only Allow Members of Groups), and then type editorial in the text field. Click Save and go back to the Module index. Once in the index, click Apply Changes. At this point, you've limited SSH access to only the users in that group. Just make sure to test the new configuration before you do anything else.
Next, you might consider configuring SSH to use a non-standard port. For that, click on the Networking option in the Webmin SSH config window. Here (Figure E), you can change the default port from 22 to whatever you'd rather use.
Once you've changed the port, make sure to click Save and then click Apply Changes in the module index. One thing to consider, however, is if you're working on a Linux distribution that employs SELinux, you'll need to inform the security system of the change to the new port. Out of the box, Webmin doesn't include an SELinux module, so you'd need to take care of that manually with a command like:sudo semanage port -a -t ssh_port_t -p tcp 2112
Once you've done that, SSH can be accessed like so:ssh 192.168.1.169 -p 2112
And that's how you can more easily configure SSH using the Webmin GUI. When you have a large data center filled with Linux servers, this is the more efficient (and easier) way to go.
Subscribe to TechRepublic's How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.
Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and ThursdaysSign up today
- The best browser for Linux, Windows and Mac isn't Google Chrome in 2021 (TechRepublic)
- The best chat software for Linux, macOS and Windows isn't Slack (TechRepublic)
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Security threats on the horizon: What IT pro's need to know (free PDF) (TechRepublic)
- Checklist: Securing digital information (TechRepublic Premium)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)