This will just be some quick and dirty notes about securing ssh.
The first step in securing ssh is to stop using passwords and start using ssh keys. Which to be completely honest, looks like using a password but just more cumbersome. SSH keys look like random characters and if you have the key, then I don’t see how it’s not any different from a very long password. Maybe it is the same thing and I’m misunderstanding something. Either way github forced me to start using ssh keys so I figured its about time I learned how to use them and start implementing them.
This another point in favor of how setting defaults makes everything better!
To generate a new ssh key, as I don’t want to re-use my existing keys:
> ssh-keygen -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/home/nivethan/.ssh/id_rsa): id_rsa_test Enter passphrase (empty for no passphrase): Enter same passphrase again:
The -b specifies how many bits to use, the min is 1024, the default is 2048 and the number on various sites is 4096!
By default, the key will get generated overwriting id_rsa which can really screw you so I like creating seperate keys. By giving a filename, this will generate id_rsa_test which is the private key and a id_rsa_test.pub which is the public key. This key is what we need to append to the destination server’s ~/.ssh/authorized_keys file.
Once the key is generate we can use scp or filezilla or a usb stick to move the public key over.
Once the public key is added to the authorized_keys file, we can then test our ssh connection by doing the following command:
> ssh -o "IdentitiesOnly=yes" -i ~/.ssh/id_rsa_test firstname.lastname@example.org
This will make it so that ssh will use the key that you want to use when connecting.
If this command works, we can now safely disable using root over ssh and change the ssh port as well.
To secure ssh on our destination machine, we’re going to update /etc/ssh/sshd_config.
The first thing we’ll do is disable root from logging in via ssh:
The next thing we want to do is, change the ssh port from the default 22 to something random. We can choose any port between 1024 and 65536, inclusive/exclusive/who knows.
That’s it! Easy peasy lemon squeezy! Now we can restart ssh.
> sudo service ssh restart
Now, because we changed our default port, the command to connect over ssh will change slightly as we need to specify the port:
> ssh -o "IdentitiesOnly=yes" -i ~/.ssh/id_rsa_test email@example.com -p 12331
Now we are good to go!
I do a lot of file transfer with Filezilla so I also needed to set up my keys here as well. For this, I actually copied over the private key file to my windows machine. Now when you go to set up a connection, I change the Logon Type to be Key file.
This will ask for the username and the path to the keyfile. Once those two things are filled in, filezilla is good to go.
You also need to make sure that the port is set in filezilla as it will also use the default 22.
It’s actually pretty crazy that in my head I thought this would be a lot shorter than it was. I remember thinking that setting up SSH keys is pretty simple and that it’ll only take a few words and then its just a bunch of commands but it ended up being a bit longer than I thought. I guess it’s good to write things out and this will be helpful when I forget and need to refer back to something. I could just bookmark one of the many guides that exist to securing ssh as they all basically say the same thing but I think there is something to explicitly doing it yourself. I know how I think and I know how i want the commands laid out for me and I know which parts I can skip and which parts are important. So writing is good. Long winded way of saying that.