Jump to content

Recommended Posts

Posted

1. Use SSH Key Authentication:

For Openssh (Mac, Linux, Windows):

Run this command to generate an SSH key using the strongest key size (leave everything on default. You can enter a Passphrase, which is the password you would need to enter to connect to the server).

ssh-keygen -t ed25519

Then run this command to upload it to your SSH server.

ssh-copy-id -i /root/.ssh/id_ed25519.pub root@youripaddress

Make sure to replace youripaddress with your IP address.

Bonus: If you want to log into the server from another computer but don't want to generate another key (and do all those steps), just copy the private key from your main computer to your other computer and run this command to login:

cd Folder
ssh -i .\ssh.key root@youripaddress

Make sure to replace Folder with the folder your uploaded the SSH Private Key, ssh.key with the private key name, and youripaddress with your IP address.

For puTTY and Filezilla (Windows): 

Go to puTTY Keygen and generate an SSH key. Make sure to select ED25519 as it is the strongest key size. You can also enter a passphrase (a password you need to enter every time you need to log into the SSH server) if you want.

Then open up FileZilla and connect to your server (Host is youripaddress, port is 22, username is root, and password is your password). Upload the Public Key to the /root/.ssh folder.

Then if you want to connect to your server using SSH keys, just go to SSH < Auth and upload your private key and everything is set.

 

2. Disable Password Authentication:

 

The reason why you went through all that trouble of setting up SSH keys is so that people cannot access your server with JUST a password (they would need that strong SSH key and maybe even another password if you created a passphrase). To do that run these commands on the REMOTE SERVER:

nano /etc/ssh/sshd_config

You can vim if you want.

Then uncomment the PasswordAuthentication line (remove the pound/number symbol) and change the yes to no. Uncomment the PermitEmptyPasswords line and change it to no (if it is yes). And also change the yes in the UsePAM line to no.

Then restart the SSH daemon with this command:

systemctl restart sshd

 

3. Disable Root User Login (Use Your Own User):

 

The default username is root and every hacker knows this. You want to create a new user and disallow root user login.

First create a new user by running this command:

sudo adduser yourusername

Make sure to replace yourusername with a compicanted easy to remember name (Maybe like your friends middle name).  Follow the instructions in the terminal. Then exit the SSH session and test if everything works by running this logging into the server but using the username@youripaddress.

Then login to your server and run this command:

nano /etc/ssh/sshd_config

Then change PermitRootLogin to no.

 

4. Change SSH Port:

 

@balloons Posted below how to do this.

 

4. Check How Secure You SSH Login is

Go to https://ssh-audit.com and enter you IP address and port and they wil tell you how secure your server is and tips to improve the score.

  • Like 2
Posted

This was one of the initial setup steps when I got my VPS.
This is very effective as it disables password authentication.

I'm also changing the ssh port number.
Anyone can imagine port 22, which makes it vulnerable to attack.

sudo vi /etc/ssh/sshd_config
port 22     # Change this. Ideally any 5 digit number

 

  • Like 1
Posted

Yeah that is another one that I forgot to add. 

Make sure to restart the ssh daemon with: 

Quote

Systemctl restart sshd

And use this command to login

Quote

ssh -p root@youripaddress

 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...