The absolute first thing you should do on a clean server is secure SSH. Before you even consider anything else, edit your SSH configuration (vi /etc/ssh/sshd_config). The lines you should be concerned with are the following:
(Make sure all of the above lines are uncommented by removing the # in front if applicable.)
Change your Port to something other than 22, preferably either a random or hard to guess 5 digit number (no more than 65535). In reality any port other than 22 is a good port since that is the default SSH port, but be sure to check to make sure the port you pick won't conflict with other known ports.
Set PermitRootLogin to no. This will prevent people from using root to login to SSH. Since root is the last thing you want anybody to have access to, the best way to prevent access is to disable it immediately. In a moment, I will explain how you will still be able to have root access even after disabling it.
AFTER SETTING THIS DO NOT LOGOUT OF YOUR CURRENT SSH SESSION UNTIL YOU HAVE CONFIRMED THAT YOU CAN LOGIN WITH YOUR USERNAME AND RSA!
Set RSAAuthentication and PubkeyAuthentication to yes. This will allow you to use an RSA key to SSH into your server instead of your password. Also verify that AuthorizedKeysFile is set to .ssh/authorized_keys.
Set PasswordAuthentication to no. This will disable people from being able to login with a password which forces you and your staff to use RSA keys which are the most secure option you can have.
Set Banner to something like /root/sshbanner. The actual location and name of the banner is up to you. Just make sure that the file includes something along the following lines:
"This system is monitored and all logins are reported to the administrators. If you are not authorized to connect to this server disconnect now."
Of course this has little actual effect but some script kiddies might be scared off by this since by default they aren't use to seeing any kind of message when trying to login so it might make them think the server is more advanced/secure than others. Either way it's the equivalent to a "No Trespassing" notice so if you do have to ever resort to legal proceedings they can't say they didn't know. You should also setup a Message Of The Day (MOTD) with a similar message (vi /etc/motd) for the same reason.
Now once that has been setup you will want to create a new users that you will be logging in with since root will be disabled shortly. Create a new user for yourself (useradd). Now create a password for that user (passwd), ensure it is unique and differs from your root password. Not you will want to add that user to the wheel group (vi /etc/group find the wheel group and add the username to that line like so: wheel:x:10:root,username).
Once the user is added to the wheel group you will want to create an RSA key for this user. If you are using PuTTY then you will need to download PuTTYgen.
DO NOT RESTART SSHD!
- Open PuTTYgen.exe set the type to SSH2 RSA and minimum 1024 bits.
- Click Generate and move your mouse in the box for randomness.
- Edit the Comment to something you can easily identify if you plan to use multiple RSAs (different users, access to/from other servers, etc...).
- Set a Passphrase so even if somebody gets your RSA key they still cannot login to your server without entering the correct password. Do not use your username or root password!
- Save the public and private keys to your PC, then copy and paste the public key in the text box to a new authorized_keys file on your server (mkdir .ssh && chmod 0700 .ssh && cd .ssh && touch authorized_keys && chmod 0600 authorized_keys && vi authorized_keys).
Now restart SSH in SSH (/etc/init.d/ssh restart) while staying logged in to your current session. Open a second SSH session to your server using your new port, username, and RSA key to confirm it is working (also check for the banner and MOTD we setup). Once you are able to login with your new username and RSA key, verify you can switch to root (su -). If everything worked correctly you should now have root SSH access with password authentication and root login disabled!
Now one last thing you will want to do is setup your server to send you an e-mail when somebody logs in under root on your server by adding the following line to .bashrc (vi /root/.bashrc):
echo 'ALERT - ROOT SHELL ACCESS ON:' `date` `who` | mail -s "ALERT: ROOT ACCESS FROM: `who | cut -d"(" -f2 | cut -d")" -f1`" root
This code will send an e-mail to your "root" e-mail (which you can setup by adding a .forward file in your /root/ directory) when somebody logs into root.