Are you tired of constantly worrying about your server’s security?
To set the stage, RSA keys. These are digital signatures that allow you to authenticate yourself without having to enter a password every time you connect via SSH. To set up RSA keys on your server:
1. Generate an RSA key pair on your local machine using the ssh-keygen command. This will create two files one public and one private. The public file is what we’ll be sharing with our server, while the private file should remain on our local machine.
2. Copy the contents of the public key to your clipboard (or save it as a text file) using the following command:
# This script is used to copy the contents of the public key to the clipboard or save it as a text file.
# The public key will be shared with a server, while the private key will remain on the local machine.
# First, we need to generate the public and private keys using the ssh-keygen command.
# This will create two files, one public and one private.
ssh-keygen # generate public and private keys
# Next, we need to copy the contents of the public key to the clipboard or save it as a text file.
# For Mac users, we can use the pbcopy command to copy the contents to the clipboard.
cat ~/.ssh/id_rsa.pub | pbcopy # copy public key to clipboard for Mac users
# For Linux users, we can use the xclip command to copy the contents to the clipboard.
xclip -sel clip < ~/.ssh/id_rsa.pub # copy public key to clipboard for Linux users
3. Log in to your server via SSH and add the public key using this command:
bash
# This script is used to add a public key to the authorized_keys file on a server via SSH.
# It uses the cat command to read the contents of the authorized_keys file.
# The EOF (end of file) command is used to indicate the end of the file.
# The tilde (~) symbol is used to represent the user's home directory.
# The .ssh directory is where SSH keys are typically stored.
# The authorized_keys file is where public keys are stored for authentication.
# The cat command is followed by EOF, indicating that the contents of the file will be read until the EOF command is reached.
# The contents of the public key are then pasted in between the EOF commands.
# This allows the public key to be added to the authorized_keys file.
# The ">>" symbol is used to append the contents to the end of the file, rather than overwriting it.
# The script should be run while logged in to the server via SSH.
# The public key should be copied beforehand and pasted in between the EOF commands.
cat << EOF >> ~/.ssh/authorized_keys
# Paste your copied RSA key here
EOF
4. Restrict access to authorized keys only by editing the sshd_config file:
# Use nano to open the sshd_config file for editing
nano /etc/ssh/sshd_config # or sudo nano /etc/ssh/sshd_config if you're not using root privileges
# Uncomment and edit this line to restrict access to authorized keys only
# The Match Group directive allows us to specify a group of users to apply the following settings to
# In this case, we are creating a group called "sshusers" and restricting their access to authorized keys only
Match Group sshusers
# Disable challenge-response authentication
# This type of authentication prompts the user for a response to a challenge, which can be easily guessed or hacked
ChallengeResponseAuthentication no
# Disable password authentication
# This type of authentication allows users to login with a password, which can be easily guessed or hacked
PasswordAuthentication no
# Enable public key authentication
# This type of authentication uses a public and private key pair to authenticate users, providing a more secure method
PubkeyAuthentication yes
# Specify the location of the authorized keys file
# This file contains the public keys of users who are authorized to access the system
AuthorizedKeysFile .ssh/authorized_keys
5. Restart the SSH service:
# This script restarts the SSH service using the "service" command
# and includes a comment for an alternative command if root privileges are not used.
# Restart the SSH service using the "service" command
service ssh restart
# Alternatively, use "systemctl" command with "restart" option if not using root privileges
sudo systemctl restart sshd
That’s it! Now, whenever you connect to your server via SSH from your local machine, you won’t have to enter a password. And since we restricted access to authorized keys only, no one else can log in without having the correct RSA key pair.
Let’s talk about changing the default SSH port number. By doing this, it will be harder for attackers to find your server using a simple port scan. To change the default SSH port (22) to something else:
1. Edit the sshd_config file again:
# This script is used to change the default SSH port number to increase security by making it harder for attackers to find the server using a simple port scan.
# First, we need to edit the sshd_config file to make the necessary changes.
nano /etc/ssh/sshd_config # or sudo nano /etc/ssh/sshd_config if you're not using root privileges
# Next, we need to uncomment and edit the line that specifies the default SSH port number.
# This will allow us to change the port number to something else.
Port 42069 # Change the default SSH port number to 42069 for increased security.
# Once the changes have been made, save the file and exit the editor.
2. Restart the SSH service:
# This script restarts the SSH service using the "service" command.
# If the user does not have root privileges, the "systemctl" command is used instead.
# The following line uses the "service" command to restart the SSH service.
# The "ssh" argument specifies the service to be restarted.
# The "restart" argument specifies the action to be taken.
service ssh restart
# The following line uses the "systemctl" command to restart the SSH service.
# The "restart" argument specifies the action to be taken.
# The "sshd" argument specifies the service to be restarted.
# This command is used if the user does not have root privileges.
sudo systemctl restart sshd
That’s it! Now, whenever someone tries to connect to your server via SSH on port 22, they won’t be able to. But if they try connecting on the new port number (42069), they will be redirected to the correct SSH service.
And there you have it ! By following these simple steps, you can secure your Linux instance using SSH like a pro.