Apr 02, 2019 Installation of SSH Keys on Linux - A Step-By-Step Guide. Outlined below is a step-by-step guide detailing the process of installing SSH Keys on a Linux server: Step One: Creation of the RSA Key Pair. The first step in the installation process is to create the key pair on the client machine, which would, more often than not, be your own system. Mar 31, 2018 Generate public key and store into a file. It is a simple one liner command to generate a public key from a private key, so lets say our private key is named ‘[email protected]’ and we want to generate the public key and name it ‘authorizedkeys’. Below is the command to do this.
Introduction
Minimizing vulnerabilities in your Secure Shell (SSH) protocol is key to ensuring the security of your Linux environment.
In this article, we cover the most common Linux SSH security measures you can take to make your servers more secure. By changing the default SSH port, using key pairs, and following the other recommended best practices, you can significantly improve the overall security of your system.
What is SSH?
The Secure Shell (SSH) protocol enables cryptographically protected remote system administration and file transfers over insecure networks. Using multiple encryption methods, SSH secures the connection between a client and a server safeguarding the users’ commands, authentication, and output against unauthorized access and attacks.
The SSH protocol is now widely used in data centers and by almost every major enterprise running on any of the UNIX variants.
When it comes to security measures, it is essential to combine them, apply them in layers, and not pick just one and rely on only that solution.
Using a non-standard port for SSH connection helps avoid automated attacks on your server. It also helps reduce the chances of it appearing on a hacker’s radar and makes it a less obvious target.
Note: The majority of hackers who are looking for OpenSSH servers will aim at the default SSH port 22.
In that case, the scripts they are using will look for IP addresses only on port 22. If your server falls into that group, every such automated attack will make an impact on your log files. Consequently, the load on your server may increase substantially since many SSH server exploits are running around the clock knocking on every server’s door.
It is important to note that changing the default SSH port does not improve the security of your server. However, it does help in keeping away automated attacks.
Before you begin, you need to decide which port you will use instead of the default port 22. Before you make a decision, you should consider a few things:
To change the port on your Linux server, follow these steps:
etc/ssh/
directory. If you have never used a text editor within the terminal, it is recommended to use Nano. Otherwise, use vi or vim since they are the most commonly used editors today. We advise you to back up the original file before you make any changes.Port 22
.”#
” at the beginning of the line.Note that now you will need to specify the port when connecting since your client will always use the default SSH port unless told otherwise.
While the procedure for changing the default SSH port does not increase the level of security itself, it takes you off the radar of the most common scans. One easy way to test this is to let your server run for a few days with sshd listening on the default port and then change it to a non-standard one. Compare the number of failed logins on your server, and you will see it decrease substantially.
By using a non-standard port for SSH:
There are some precautions to keep in mind before you decide to change the default port for SSH. The disadvantages of running a non-standard port can mean that:
Some of these disadvantages probably will not apply to your use case but should be taken into consideration. The benefits of changing the port outweigh the drawbacks and prove to be a good additional layer of security for your server.
One of the most secure methods to authenticate clients to servers is by using SSH key pairs. Strong passwords may be sufficient to keep your server safe, but persistent brute force attacks can still crack them. This is why you need additional SSH hardening with key pairs.
SSH keys are resilient to such attacks and are virtually impossible to decrypt. An SSH key pair consists of two long series of characters, a private key which is kept secret, and a public key which can be safely shared. Their purpose is similar to passwords, and they allow you to automatically establish an SSH session without the need to type in a password.
To set up SSH keys, you will need to generate a key pair on the client computer which will be used to connect to the server. To do so:
Enter
when prompted. The key will be saved in the home user’s directory, in the ~/.ssh
directory. To change the location, just type in the new path. The recommendation is to stick with the default location, so you do not have to make any changes to your SSH client. The private, or the identification key, will be saved as id_rsa
and the corresponding public key as id_rsa.pub
.Enter
to continue. The passphrase provides an additional layer of security by encrypting the private key on the local machine. To crack the passphrase, a hacker will need to have access to the system first, since the private key is not exposed on the network. Even then, it will take time to succeed, allowing you to change the used key before the hacker gains access to other servers. The downside is that you will have to enter it every time you try to connect using that key.The process of generating a key pair is complete.
The final screen will look similar to this:
Note: You can make the authentication/authorization even more secure by creating larger 4096-bit keys instead of the default 2048 bits. To do so, append –b 4096
to the ssh-keygen
command. It will look like this:
To use the key pair you’ve created on your machine for SSH authentication, you need to place the public key on the desired server. The simplest way to do so is to use the tool available with OpenSSH:
The procedure is easy:
ssh-copy-id username@your_host_address
.Yes
to continue.~/.ssh/ id_rsa.pub
key to the authorized_keys
file under the ~/.ssh
home directory on the server.Note: No characters will be visible while you are typing the password due to security reasons.
Your public key has been placed on the remote server, and now you can log into it without entering the account’s password.
ssh username@your_host_address
. If successful, you will be automatically logged in. In case you had previously set up a passphrase, you will need to enter it first before you are granted access to the server.Essentially, a public key is not a key. It behaves like a padlock that you can put on an SSH account on another machine. When you run the ‘ssh-keygen’ utility, you generate both the padlock and the key that opens it, id_rsa.pub
and id_rsa
respectively.
You can make as many copies of the padlock as necessary, distribute them to any server you like, and only you will have the right key to unlock them all. This is why it is important to keep the private key safe because it unlocks all the copies of the padlocks you’ve handed out.
It does not matter where you put your public key as long as the master key does not get compromised. Since nobody else possesses the private key, this method for authorization and authentication is probably the safest out there and highly recommended.
Linux server distributions have outside root access enabled by default. This can be a severe security threat since hackers can try to crack the password with brute force attacks. It is recommended to disable root login and use a regular account and a
command to switch to the root user.su
–
Before you disable the root login, make sure that you have added an account that can gain root access. To do so, follow the steps below:
PermitRootLogin_yes
“ and change to PermitRootLogin_no
. You may need to scroll down a few lines to find it.AllowUsers your_username_here
sudo service ssh restart
and for Fedora/CentOS use the service ssh restart
command.If you are using SSH keys for SSH authentication, you can disable the server password authentication altogether. This is another way to keep your server safe from brute-force attacks and attempts to crack your password. Before you proceed, double-check if SSH key-based authentication is working for the root account on the server or for an account with the sudo access.
When you are ready, complete these steps:
PasswordAuthentication
and change to PasswordAuthentication_no
. Make sure to uncomment the line if the #
is present.sudo service ssh restart
and for Fedora/CentOS use the service ssh restart
command.Congratulations, you have successfully disabled the option to log in through SSH using account passwords. SSH Daemon will simply ignore any authentication requests which do not include private/public key pairs.
Iptables is a Linux utility used for configuring firewall rules and monitoring/filtering incoming and outgoing traffic to your server. It is included by default with most Linux distributions.
With iptables, you can define rules that limit or permit traffic for different kinds of services by IP address, port or network protocol and thus substantially improve the security of your server. In our case, we will set firewall rules to restrict the incoming SSH traffic for everyone but one IP address or subnet.
This way, blocking port 22 will not only stop unauthorized access to your servers but can also stop or prevent DDoS attacks.
While taking this step, you should make sure you do not lock yourself out by completely blocking SSH traffic.You will need to use only a few commands to allow a specific IP address or subnet for incoming SSH connections.
Note: Commands are case sensitive.
If you want to view the list of all iptables rules, you can use the iptables
–L
command. To include more details such as packet, byte and target information, append –v
to the command above. Add -n
to all of it and the output will be displayed in numeric format.
In case you want to reset all rules and start clean, use the flush command iptables
. This will clear the iptables configuration which is useful if you are unsure if everything is set up as you want it.–F
Here are some explanations for iptables parameters, options, and values used in the examples above, as well as a few not mentioned before.
Value | Description |
ACCEPT | Allows the packets to pass through |
DROP | Blocks the packets |
RETURN | Tells to skip the current chain and resume at the next rule in the previous (calling) chain |
>Parameter | Description |
-c | counters– allows setting the packet and byte counters of a specific rule |
-d | destination – can be an address, name of a host or address, etc. |
-f | fragment – applies the rule to the second and the fragments that follow it |
-g | goto chain – states that the action will continue in a user-specified chain |
-i | in-interface – states the name of the interface from where packets come |
-j | jump – specifies the action if a packet matches the rule |
-o | out-interface – the name of the interface of an outgoing package |
-p | protocol – any available protocol such as SSH, TCP, UDP, and FTP |
-s | source – can be an address, name of a host or address, etc. |
Chain | Description |
INPUT | Controls the incoming packets |
FORWARDS | Forwards the packets coming to your server but destined for somewhere else |
OUTPUT | Filters packets going out of your server |
Option | Description |
-A | append– adds one (or more) rules of the selected chain |
-C | check – checks for a rule that matches the criteria in the selected chain |
-D | delete – deletes only one rule from the selected chain |
-F | flush – deletes all defined iptables rules |
-I | insert – insert a rule into the selected chain |
-L | list – displays the rules of the selected chain |
-n | numeric – shows the IP address/hostname and return value in a numeric format |
-N | new-chain <name> – creates a new user-defined chain |
-v | verbose – used in the combination with -L to provide additional information |
-X | delete-chain <name> – deletes the user-defined chain |
Conclusion, SSH Security, and Hardening Best Practices
Whether you are building a new server or a virtual machine, it is good practice to implement multiple security layers within your environment. Businesses are usually keen on setting up their infrastructure as soon as possible, but necessary security measures have to be applied right from the start.
If you employ the Linux SSH security methods listed above, you should be able to avoid common security threats in the cloud.
Make it hard for the hackers to penetrate your server(s) and restrict any damage. Make sure you implement as many of these best practices as possible before making your server available on the network.
Next you should also readMinecraft gift code generator activation key download.
Secure Shell is an important protocol for anyone managing and controlling remote machines. This guide covers…
Learn how to set up SSH key authentication on CentOS to safely communicate with remote servers. Create the…
MySQL is an open-source relational database server tool for Linux operating systems. It is widely used in…
This guide is for users who have already configured a CentOS server and installed the Apache HTTP services,…