Introduction

In this step by step, we will increase the security of the Linux server by configuring it to use encryption key authentication (public / private key), and avoiding the use of passwords to access it.

We will also disable access to the root user account through ssh.

How to increase SSH security

Creating an Encryption Key Pair on the Client Machine

First, we need to generate a key pair on your server access machine. Use the following command in a terminal (Linux the Mac), or use puttygen (generating keys in Windows).

ssh-keygen -t rsa

Use the default parameters and optionally create a passphrase to access your private key.

Copy the contents of the public key to the clipboard by selecting the text displayed by the following command, and using the shortcut keys to copy (CTRL + c or Command + c):

cat ~/.ssh/id_rsa.pub

As root user, run the command to switch user (created previously in post “how to create a web server in 10 minutes“):
Como usuário root, execute o comando para alternar de usuário (criado anteriormente no post “como criar um servidor web em 10 minutos“):

su -userex

Now that it is in your user’s home directory (/home/userex/), create a directory called “.ssh” with restricted permissions:

mkdir .ssh chmod 700 .ssh

Add the public key using the text editor on the server:

nano .ssh/authorized_keys

Paste the key using CTRL + v or Command + v.

Save the file using (CTRL-X, then Y, and then ENTER).

Change the access permissions:

chmod 600 .ssh/authorized_keys

Enter the following command to return to the root user:

exit

SSH Daemon Setup

We will configure the program that allows us to remote login to disable access to the root user account.

nano /etc/ssh/sshd_config

Look for a line like this:

PermitRootLogin yes

Change to:

PermitRootLogin no

This way, the root user will not be able to remote login through SSH.
This is a more secure way, since we can access the server through a normal user and escalate the privileges when necessary.

Still in this configuration file, disable password authentication, which prevents attempts to guess the password by trial and error from succeeding.
Your server will be accessible only through the public and private key pool.

Search for:

#PasswordAuthentication yes 

Change to:

PasswordAuthentication no

Save the file using (CTRL-X, then Y, and then ENTER).

Restart the ssh service:

service ssh restart

Open another terminal window and log in again, swapping the root user for the new user and using the ssh connection key:

ssh [email protected]SERVER_IP -i "path/to/your/key"
2019-10-12T08:01:34-03:00
Go to Top