Introduction
In this step by step, we will increase the security of the Linux server by configuring it to use encryption key authentication (public / private key), and avoiding the use of passwords to access it.
We will also disable access to the root user account through ssh.
How to increase SSH security
Creating an Encryption Key Pair on the Client Machine
First, we need to generate a key pair on your server access machine. Use the following command in a terminal (Linux the Mac), or use puttygen (generating keys in Windows).
ssh-keygen -t rsa
Use the default parameters and optionally create a passphrase to access your private key.
Copy the contents of the public key to the clipboard by selecting the text displayed by the following command, and using the shortcut keys to copy (CTRL + c or Command + c):
cat ~/.ssh/id_rsa.pub
As root user, run the command to switch user (created previously in post “how to create a web server in 10 minutes“):
Como usuário root, execute o comando para alternar de usuário (criado anteriormente no post “como criar um servidor web em 10 minutos“):
su - userex
Now that it is in your user’s home directory (/home/userex/), create a directory called “.ssh” with restricted permissions:
mkdir .ssh
chmod 700 .ssh
Add the public key using the text editor on the server:
nano .ssh/authorized_keys
Paste the key using CTRL + v or Command + v.
Save the file using (CTRL-X, then Y, and then ENTER).
Change the access permissions:
chmod 600 .ssh/authorized_keys
Enter the following command to return to the root user:
exit
SSH Daemon Setup
We will configure the program that allows us to remote login to disable access to the root user account.
nano /etc/ssh/sshd_config
Look for a line like this:
PermitRootLogin yes
Change to:
PermitRootLogin no
This way, the root user will not be able to remote login through SSH.
This is a more secure way, since we can access the server through a normal user and escalate the privileges when necessary.
Still in this configuration file, disable password authentication, which prevents attempts to guess the password by trial and error from succeeding.
Your server will be accessible only through the public and private key pool.
Search for:
#PasswordAuthentication yes
Change to:
PasswordAuthentication no
Save the file using (CTRL-X, then Y, and then ENTER).
Restart the ssh service:
service ssh restart
Open another terminal window and log in again, swapping the root user for the new user and using the ssh connection key:
ssh [email protected]SERVER_IP -i "path/to/your/key"