robertzo Posted August 13, 2021 Share Posted August 13, 2021 1. Use SSH Key Authentication: For Openssh (Mac, Linux, Windows): Run this command to generate an SSH key using the strongest key size (leave everything on default. You can enter a Passphrase, which is the password you would need to enter to connect to the server). ssh-keygen -t ed25519 Then run this command to upload it to your SSH server. ssh-copy-id -i /root/.ssh/id_ed25519.pub root@youripaddress Make sure to replace youripaddress with your IP address. Bonus: If you want to log into the server from another computer but don't want to generate another key (and do all those steps), just copy the private key from your main computer to your other computer and run this command to login: cd Folder ssh -i .\ssh.key root@youripaddress Make sure to replace Folder with the folder your uploaded the SSH Private Key, ssh.key with the private key name, and youripaddress with your IP address. For puTTY and Filezilla (Windows): Go to puTTY Keygen and generate an SSH key. Make sure to select ED25519 as it is the strongest key size. You can also enter a passphrase (a password you need to enter every time you need to log into the SSH server) if you want. Then open up FileZilla and connect to your server (Host is youripaddress, port is 22, username is root, and password is your password). Upload the Public Key to the /root/.ssh folder. Then if you want to connect to your server using SSH keys, just go to SSH < Auth and upload your private key and everything is set. 2. Disable Password Authentication: The reason why you went through all that trouble of setting up SSH keys is so that people cannot access your server with JUST a password (they would need that strong SSH key and maybe even another password if you created a passphrase). To do that run these commands on the REMOTE SERVER: nano /etc/ssh/sshd_config You can vim if you want. Then uncomment the PasswordAuthentication line (remove the pound/number symbol) and change the yes to no. Uncomment the PermitEmptyPasswords line and change it to no (if it is yes). And also change the yes in the UsePAM line to no. Then restart the SSH daemon with this command: systemctl restart sshd 3. Disable Root User Login (Use Your Own User): The default username is root and every hacker knows this. You want to create a new user and disallow root user login. First create a new user by running this command: sudo adduser yourusername Make sure to replace yourusername with a compicanted easy to remember name (Maybe like your friends middle name). Follow the instructions in the terminal. Then exit the SSH session and test if everything works by running this logging into the server but using the username@youripaddress. Then login to your server and run this command: nano /etc/ssh/sshd_config Then change PermitRootLogin to no. 4. Change SSH Port: @balloons Posted below how to do this. 4. Check How Secure You SSH Login is Go to https://ssh-audit.com and enter you IP address and port and they wil tell you how secure your server is and tips to improve the score. 2 Quote Link to comment Share on other sites More sharing options...
balloons Posted August 13, 2021 Share Posted August 13, 2021 This was one of the initial setup steps when I got my VPS. This is very effective as it disables password authentication. I'm also changing the ssh port number. Anyone can imagine port 22, which makes it vulnerable to attack. sudo vi /etc/ssh/sshd_config port 22 # Change this. Ideally any 5 digit number 1 Quote Link to comment Share on other sites More sharing options...
robertzo Posted August 14, 2021 Author Share Posted August 14, 2021 Yeah that is another one that I forgot to add. Make sure to restart the ssh daemon with: Quote Systemctl restart sshd And use this command to login Quote ssh -p root@youripaddress Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.