[HowTo] Secure SSH server - Connect using SSH keys

SSH server security

When you setup a SSH server on a public IP - within minutes you will be spammed with attempts to brute force your login.

Your first task as admin of a SSH server is to secure it. The best way to secure your server by configuring a public key then disable password login.

SSH security

Your SSH server is not the only server you may come across using ssh public key. If you are a using services like Github, GitLab, SourceForge, OSDN and many more - you have come across this before.

Create key pair

A SSH public key is actually a key pair - a public and a private key. The public part has the extension .pub and this is the key you place on the server or service.

You create key pair using the ssh-keygen utility. This utility takes various arguments which affects how the key-pair is generated and where the files are placed.

The defaults are sane but in case you want a stronger key, you can use the man-pages to expand your knowledge.

$ man ssh-keygen

It is recommended to use a separate key for each server and each device you are using to connect with and to tell the keys apart you use a different filename e.g. the name of the service. If you have a Linode cloud instance you could name the file linode or if you are using OSDN you may name it osdn.

To create a key-pair for a service using the service as name for the key-pair you supply the path to the file using the -f argument - in this example a Linode cloud server and the name of your instance e.g.

You don't need to use the .ppk part but it makes it possible to configure FileZilla as SFTP client using keyfile.

$ ssh-keygen -f ~/.ssh/linode-pacbang.ppk

Upload

To upload the public part to the server - use the scp which is a shortname for secure copy. The command consist of three parts

  • The command itself
  • The file to be copied
  • Server and where to put the file
$ scp ~/.ssh/linode-server.ppk.pub root@server.domain.tld:/root

SSH into your server and add it to the authorized_keys file

$ ssh root@server.domain.tld
# cat linode-server.ppk.pub >> ~/.ssh/authorized_keys

A simpler option is to use ssh-copy (thank you @flipper for reminding me)

$ ssh-copy-id -i ~/.ssh/mykey user@host

Log off the server and test your connection using your identity file

# ssh root@server.domain.tld -i ~/.ssh/linode-server.ppk

You should now be logged in and have a root shell without being prompted for password.

Secure the server

Next step is to remove the ability to login with username:password.

While you are logged in as root edit the file /etc/ssh/sshd_config

# nano /etc/ssh/sshd_config

Scroll down to the lines reading

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

And change to

PasswordAuthentication no

While you are at it - seriously consider changing the port from default 22 to something else. Consult /etc/services to avoid collision with known services - but in reality any port over 10000 can be used.

The port is located at the top of the configuration

# Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Uncomment the line and change the port number

Port 33000

Save the changes and restart the sshd daemon

# systemctl reload sshd

Connect to the server

Connecting to SSH server can be automated by means of the user's local configuration. One point to remember - the file is parsed from top to bottom - and the first match is used - so don't keep duplicated entries.

If you plan connect to the same server using different users this can easily be done using different names for the Host entry.

Every server or service is designated by the Host - all lines between Host entries belong to the preceding Host.

$ nano ~/.ssh/config

Add your server details - examples

Host nickname
  Hostname server.domain.tld
  IdentityFile ~/.ssh/linode-server.ppk
  user root
  Port 33000
Host fido.domain.tld
  IdentityFile ~/.ssh/fido.ppk
  user fido
$ ssh nickname

Backup

You don't want to loose your key collection.

IMPORTANT: Keep a copy of your ~/.ssh folder in a secure location.

Conclusion

You should know have a better understanding on how to secure your SSH server and how to connect using a ssh key.

5 Likes

For none exotic installations this part can be done with

ssh-copy-id -i ~/.ssh/mykey user@host

ref: https://www.ssh.com/ssh/copy-id/#copy-the-key-to-a-server

1 Like

Forum kindly sponsored by