Server SSH Key Security

in #programming7 years ago

SSH keys security

SSH (Secure Shell) is the default way to access a remote Linux server. This post will cover securing server access by disabling direct access to the root user and using public/private keys instead of passwords for login.

Restrict root login

A new Linux server, ubuntu in this example, only contains a root user. The root user is very important and allows unrestricted access to the entire system. Since the root user is unrestricted it isn't a good idea to allow people to directly login to the system as root. One or more users should be created so their access can be tailored to the individual's/group's specific requirements. If a malicious agent gains access to the system they will be restricted to the rights of the user they were able to penetrate with. Granting a user full sudo permissions isn't as big of a problem because attacks against root itself are still negated. The attacker will have to figure out the name of the user with sudo permissions, crack the public/private key to access the system, and then the user's password to affect system changes. This makes it much more difficult than just getting direct access to the root user

ssh login as root
ssh root@{SERVER_IP_OR_URL}
create new user
adduser loki

grant sudo privileges (optional)

usermod -aG sudo loki

open sshd_config

sudo nano /etc/ssh/sshd_config

disable root login (edit line and save)

PermitRootLogin no

reload ssh

sudo systemctl reload sshd

close remote session

exit

Restrict password login

It is also a good idea to restrict users from logging in using passwords, in favor of a public/private key pair. For starters, there is nothing to remember, you setup the keys and you are granted access to login. Passwords are shorter so they can be remembered, making them easier to crack. If they are too long they are usually written down somewhere, where they can be stolen. Some people use the same password in multiple places meaning your server can become compromised even if the password is obtained somewhere else. it is easy enough to generate key pairs for each user in a group so access for a single user can be revoked by removing that individual's key.

On your local system

generate key pair (leave passphrase blank)

ssh-keygen -t rsa -b 4096 -C "[email protected]"

push key to server

ssh-copy-id loki@{SERVER_IP_OR_URL}

login without password

ssh loki@{SERVER_IP_OR_URL}

open sshd_config

sudo nano /etc/ssh/sshd_config

disable password authentication (edit line and save)

PasswordAuthentication no

reload ssh

sudo systemctl reload sshd

Now the server is more secure because it doesn't allow direct access to the root user and only allows access using public/private key pairs.

You still need a secure place to store the root and user passwords so they can be accessed to make sudo system changes. Those should only be trusted to administrators.

Sort:  

Congratulations @clutteredcode! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes
Award for the total payout received

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

Thank you for share with us

thanks for the interest

Thank you for sharing great info with us .

Congratulations @clutteredcode! You have received a personal award!

1 Year on Steemit
Click on the badge to view your Board of Honor.

Do not miss the last post from @steemitboard:
SteemitBoard World Cup Contest - France vs Croatia


Participate in the SteemitBoard World Cup Contest!
Collect World Cup badges and win free SBD
Support the Gold Sponsors of the contest: @good-karma and @lukestokes


Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Congratulations @clutteredcode! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 2 years!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Vote for @Steemitboard as a witness to get one more award and increased upvotes!