This web page requires JavaScript to be enabled.

JavaScript is an object-oriented computer programming language commonly used to create interactive effects within web browsers.

How to enable JavaScript?

Best Practices for Securing Remote Connections (SSH) to VPS

Blog November 28, 2023 0

Recent days, I have purchased a VPS linux-based for LABS. This is my diary regrading to the LABS.

From a security standpoint, it\’s recommended all customers to use SSH Keys instead of traditional passwords while connecting via SSH. SSH Keys are like a "keycard" to access your server without a password.

  • Download PuTTY (includes PuTTY SSH Client, PuTTYgen and Pageant):
    https://www.putty.org/
  • A Terminal, CMD, PowerShell, MobaXterm,…
  • Ubuntu 20.04

And unlike passwords, SSH keys aren’t sent to the server. You do have to protect your SSH key with a passphrase

Generate SSH Keys

Linux or macOS:

ssh-keygen -t rsa

Filename:
You will be prompted to supply a filename (for saving the key pair) and a password (for protecting your private key).

Password:
Enter a password that contains at least 05 characters, and then press Enter or Return.

If you press Enter or Return without entering a password, your private key will be generated without password-protection.

Default filename and path (~/.ssh/id_rsa for RSA keys) by default if you Return.

The corresponding public key will be generated using the same filename (but with a .pub) and stored in the same location (for example, ~/.ssh/id_rsa.pub.

Windows

Using PuTTY to generate the key pair in a second.


(Source: NREADY.NET Blog)

Assign a Key Passphrase:
From the image above, Assigning a key passphrase will enhance the private key’s security by locally encrypting (and decrypting) your private key. The key passphrase acts as another layer of security to connect to your server – almost like 2FA.

Upload SSH Public Keys VPS

There are many ways to peform the task, using FTP, Console. To keep simple, I use the Console.

Log yourself in via SSH as root. Create the right directory and switch to it:

mkdir /root/.ssh && cd /root/.ssh

We have two ways:
1.
Create and open the authorized_keys text file with this command:

nano authorized_keys

Paste in your whole public key and save the file by pressing CTRL+ O. To exit the editor use CTRL + X.

2.

The content of your id_rsa.pub file will have to be added to a file at ~/.ssh/authorized_keys on your remote machine somehow.

cat ~/id_rsa.pub >> ~/.ssh/authorized_keys

Authenticating to VPS Using SSH Keys

We can use SSH Private Key with:
PuTTY


(Source: NREADY.NET Blog)

Console
If using the default file name and path (~/.ssh/id_rsa), no need to include the private key manually. Just open a ssh normally.

ssh root@<IP>

If the private key you’re using does not have the default name, or is not stored in the default path ~/.ssh/id_rsa, we can do two ways:

Specific file:

ssh -i <path> root@<IP>

or SSH client configuration file:

SSH gets configuration data from the following sources (in this order):

  1. From command-line options
  2. From the user\’s client configuration file (~/.ssh/config), if it exists
  3. From the system-wide client configuration file (/etc/ssh/ssh_config)

To make SSH automatically invoke the private key host_key, stored in the ~/.ssh/old_keys directory, create a ~/.ssh/config file with these lines included:

Host <your_host or IP>
IdentityFile ~/.ssh/old_keys/host_key

Enter the Passphrase to connect to the VPS.

Without Passphrase?

Alternative to inserting your Private Key into PuTTY you can use Pageant – which comes with PuTTY.

If you use Pageant you don’t need to type in your Passphrase over and over again, in case you secured your Private Key with a Passphrase.

Search for Pageant in the Windows Search Bar. After executing this program, import a Private Key into Pageant, right-click the Pagent-Icon and click on Add Key.

The file explorer will open and you need to select your Private Key, then enter a Passphrase.

Now you can just login to your Server without getting prompted to enter your Passphrase everytime you start an SSH connection.

Need to import your Private Key again after rebooting local computer.

Disabling Password Authentication on your Server

After choosing ssh-key authentication as your login method is server security. Therefore, To disable password authentication, open the sshd_config with this command:

nano /etc/ssh/sshd_config

Now set the following values:

Port 22
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no

Save your changes with CTRL + O and close the editor with CTRL + X.

Do not forget to restart the ssh service (Ubuntu):

systemctl restart sshd

On most Linux distributions, you can issue the following command to do that:

sudo systemctl restart ssh

Ref:
https://kb.iu.edu/d/aews
https://en.wikipedia.org/wiki/Ssh-keygen
https://contabo.com/blog/best-practices-to-secure-your-vps-hardening/


HCM, 28 Nov 2023
Nam Le, https://nready.net


Nam Le
lequocnam



0 responds

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.