What about SSH Keys
One effective way of hardening your VPS or dedicated server security is by using SSH keys to log-in into your server through SSH than using a password. Passwords, even though are the most common way to access a server, is not the most secure practice as those are vulnerable to brute fore attacks. SSH keys, on the other hand, are practically immune to brute force attacks.
The process consist in the generation of a key pair, which provides you with two string of characters: a public and a private key. You can place the public key on any server, and then unlock it by connecting to it with a client that already has the private key. Those two should match up to allow the system to unlock without the need for a password.
Create the RSA Key Pair
First, you need to create the key pair on the client machine by issuing the following command:
ssh-keygen -t rsa
Store the Keys and Passphrase
Once you have entered the keygen command, you will be presented with the following questions:
Enter file in which to save the key (/home/admin/.ssh/id_rsa):
You can hit enter, saving the file to the user's home directory, e.g. user is called admin.
Enter passphrase (empty for no passphrase):
The use of a passphrase is optional. If you elect to use a passphrase, then you will have the extra security of having to enter it each time you use the key. If the passphrase does not match, you, or anyone else using your private key, will not be able to connect.
Once you enter the ssh-keygen command, you will go through a process like the following:
Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/admin/.ssh/id_rsa.
Your public key has been saved in /home/admin/.ssh/id_rsa.pub.
The key fingerprint is:
4a:ee:4a:e5:69:8r:5d:e5:89:25:6d:14:85:6f:55:23 admin@a
The key's randomart image is:
+--[ RSA 2048]----+
| .oo. |
| . o.D |
| + . o |
| . = = . |
| = F = . |
| o + = + |
| . o + o . |
| . o |
| |
+-----------------+
Your dedicated or VPS server's public key is now located in /home/admin/.ssh/id_rsa.pub and the private key is located in /home/admin/.ssh/id_rsa
Copy the Public Key
Now that we have generated the key pair, you can place the public key on the virtual or dedicated server that you are going to use.
Copy the public key into the new machine's authorized_keys file with the ssh-copy-id command. Make sure to replace the example username and IP address below.
ssh-copy-id [email protected]You should have an output like this:
The authenticity of host '123.123.123.123 (123.123.123.123)' can't be established.
RSA key fingerprint is 4a:ee:4a:e5:69:8r:5d:e5:89:25:6d:14:85:6f:55:23.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '123.123.123.123' (RSA) to the list of known hosts.
[email protected]'s password: It is time to try to log in into the server, with ssh [email protected], and check in:
~/.ssh/authorized_keysThis is to confirm that you have not added extra keys that you weren't expecting.
Now you can log into [email protected] and you should not be prompted for a password. If you set a passphrase, you will be asked to enter the passphrase.
Disable the Password for Root Login
After you have copied your SSH keys into your server and only after you make sure that you can log in with the SSH keys alone, you can restrict the root login to only be permitted via SSH keys.
To accomplish this , open the SSH config file with your editor of choice:
sudo vi /etc/ssh/sshd_config
Now, within the file contect, look for the line that includes PermitRootLogin and modify it to ensure that users can only connect with their SSH key, as follows:
PermitRootLogin without-password
To commit the changes, isue the following command:
reload sshConclusion
That's it! Now you can access your dedicated or VPS server through SSD using the newley created SSH keypair. No brute-force attack will be succesfull against a server that does not allow password logins.
or
