HOW TO SETUP SSH KEYS AND SECURE ACCESS TO YOUR VPS

Aug 30, 2020

So you finally decided to get yourself a Virtual Private Server and move from the shared web hosting solutions that you usually get from your domain registrar provider. In most cases you will start using it straight away and publish your website or web application without thinking about best practices for a production server.

You will probably be just fine with using the root account which is usually the default account you get, or creating a user, give it sudo privileges and keep logging in with a password, but if you really wish to keep your server secure you will want disable root login and setup ssh keys to avoid brute force attacks.

In this tutorial we will go through some initial useful steps we should take before deploying the server to production.

TO FOLLOW ALONG YOU WILL NEED A GNU/LINUX OPERATING SYSTEM ON YOUR LOCAL MACHINE

  1. Creating a non root account and give it sudo privileges
  2. Setting up basic firewall rules
  3. Disabling root login
  4. Generating the public and private SSH keys on your local machine
  5. Copying the public key to your server and testing access
  6. Disable password login

I will explain the necessary steps for both Debian based distros and CentOS as they are very similar and most VPSs usually come with one of the two installed.

In primis, SSH stands for Secure Shell and it’s an ecrypted protocol that allows server admins to remotely manage servers. We will login to our server from a terminal emulator with the following command:

$ ssh root@IPAddress 

We will then be prompted for the root password and will login to the server.

STEP 1: CREATING A NON ROOT ACCOUNT AND GIVE IT SUDO PRIVILEGES

Creating a non root user:

#  adduser joe

Setting a password for our user:

# passwd joe

Adding the user to the sudoers file:

On Debian:

# usermod -aG sudo joe

On CentOS

# usermod -aG wheel joe 

STEP 2: SETTING UP BASIC FIREWALL RULES

Most VPSs come with a firewall installed, but in case it is not yet installed we can install it.

First let’s make sure the system is up to date with the following command:

On Debian:

# apt update && upgrade -y  

On CentOS

# yum check-update
# yum update

Install firewall

On Debian

# apt install ufw 

On CentOS

# yum install firewalld 

Allow SSH connections which will open port 22 and allow us to log back in:

On Debian

# ufw allow OpenSSH 

On CentOS

# firewall-cmd --zone=public --permanent --add-service=ssh 

Now we can enable the firewall with the following:

On Debian

# ufw allow OpenSSH  

On CentOS

# systemctl start firewalld 

We can also test that everything is running:

On Debian

# ufw status

On CentOS

# systemctl status firewalld 

The output should give us the status of the firewall with the rules applied. If status is active and the SSH rule is in place we can logout and log back in with our user.

STEP 3: DISABLING ROOT LOGIN

To disable root login we will have to edit the /etc/ssh/sshd_config file

$ sudo nano /etc/ssh/sshd_config 

Locate the following line PermitRootLogin yes, change this to PermitRootLogin no. Add the next line to the file AllowUsers joe

Restart the sshd service for the changes to take effect.

$ sudo systemctl restart sshd 

STEP 4: GENERATING THE SSH KEYS ON YOUR LOCAL MACHINE

To generate the SSH keys run the following command on your local machine:

$ ssh-keygen -t rsa -b 4096 

When asked to Enter file in which to save the key type a name for the key i.e mykey. Press Enter and on the next step you can provide a passphrase if you wish. Press Enter again and you should get a similar message:

The key's randomart image is:
+---[RSA 4096]----+
|     .o..o  .. o.|
|      .o.o+...ooo|
|      . o++..+*..|
|       o.+ .o+oo |
|        S .. o+ .|
|         .+ +o + |
|         o.B+ *  |
|          .==* E |
|          ...oo  |
+----[SHA256]-----+

This will generate two keys in the .ssh/id_rsa folder mykey and mykey.pub

STEP 5: COPYING THE PUBLIC KEY TO THE SERVER

We will use the ssh-copy-id tool to help us do this.

$ ssh-copy-id joe@IPAddress 

If the output of this command is something similar to the one below, we are all set.

Output
Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'joe@IPAddress'"
and check to make sure that only the key(s) you wanted were added.

If we try to login now we should be automatically logged in without being prompted for a password.

STEP 6: DISABLING PASSWORD LOGIN

We should be now logged in to the server and we will disable login with a password.

$ sudo nano /etc/ssh/sshd_config  

Look for the following line: PasswordAuthentication yes and change this to PasswordAuthentication no

We have to restart the service for the changes to take effect with:

$ sudo systemctl restart sshd

If we attempt to login from another machine with just the password, it will throw an error which is a good sign. Our server is secure as long as we keep our private key secure.

STEP 7: USING AN ALIAS FOR THE LOGIN COMMAND

I know, step 7 was not planned, but for those who had the patience to get to this point, I will show you a quick trick you can use to login to your server quickly in the future.

We can create an alias on our local machine, in our .bashrc file i.e. vps so instead of typing ssh joe@IPAddress we can use the alias.

Type the following command:

$ echo "alias vps='ssh -i $HOME/.ssh/id_rsa/mykey joe@IPAddress'" >> $HOME/.bashrc 

Now we can type:

$ vps

and it will do the magic for us.


:wq

Last updated 28 Sep. 2020. Built with Emacs 27.1 (Org mode 9.3.7).

DISCLAIMER