Setting up a safe SSH connection to your virtual private server
Overview
SSH is a widely-used method for connecting to remote servers, including VPS. It is a versatile and multiplatform solution, with SSH clients available even for mobile devices. SSH allows you to control the remote machine almost as if you were physically present and offers various useful features. However, with the increasing emphasis on security in the modern IT landscape, it’s crucial to secure your SSH access.
One effective security measure is the use of key pairs, consisting of a private key and a public key. The private key, which should be kept secure and not shared, uniquely identifies you as a user. The public key, on the other hand, is shared with the remote server or service. It serves as the public counterpart to the private key and facilitates secure access. When you attempt to access a server or service with a private key, it undergoes a comparison with the public key stored on the remote machine. If they match, access is granted.
Requirements
You’ll need:
A CentOS 7.4 VPS server
Basic knowledge of how to edit files in Linux systems
A host machine running Linux or Windows from which you can access the VPS server.
Establishing a pair of SSH keys on your host computers
If your local system, from which you access the VPS, is running Linux (in this case, Fedora 25 was used as a typical home/workplace Linux system):
1. Open a terminal and run the command ssh-keygen. Follow the on-screen instructions.
ssh-keygen
You will be prompted to enter a key storage location (you may leave it as is). ssh-keygen will also request you to enter a password to protect the key. While the key can be left without a password, it is recommended to secure your key with a password. This adds an extra layer of protection, especially in case the key pair is compromised. Remember the password; if forgotten, there is no way to restore access to your key.
2. Backup your keys to a secure and safe storage location. It’s essential to have a backup in case you lose access to your original keys or if the keys get corrupted.
3. Run the following command to display the contents of your public key file:cat /path/to/your/.ssh/id_rsa.pub
Make sure to replace “/path/to/your/” with the actual path where your SSH key is located. Copy the displayed key.
4) You need to add the copied public key as a new line into the
`/root/.ssh/authorized_keys`
Notice that each key starts on a new line.
5. To connect from your Linux machine to the VPS server through SSH, use the following command:
ssh -i /home/vpsuser/.ssh/id_rsa.pub root@
2.1. Enter a password in the “Key passphrase” and “Confirmation” fields. Remember the password.
2.2. Copy the contents of the “Public key for pasting into OpenSSH authorized_keys file” field.
2.3. Save the public and private keys to a secure storage.
3. Copy the contents of the “Public key for pasting into OpenSSH authorized_keys file” field in Puttygen.
4. Go back to your VPS server. Add the public part of the key pair you just created to the list of authorized keys by pasting the copied key as a new string into /root/.ssh/authorized_keys. It should look like this:
Notice that each key starts as a separate string.
5. Test the connection to your VPS server.
5.1. Open PuTTY and go to Connection > SSH > Auth in the left panel.
5.2. Open your private key file by clicking on “Browse” next to the “Private key for authentication” field.
5.3. In the “Session” section of the left panel in PuTTY, enter your server’s hostname or IP along with the login name (optional, as PuTTY will prompt for it anyway), and then press “Open”.
5.4. PuTTY will prompt for the key password on its screen, and if entered correctly, it will forward you to your VPS server console.
Protecting the SSH server
Now you can safely log in to your VPS server from both Linux and Windows machines. At this point, you should disable password-based authentication on your machine, rendering all brute-force attempts useless. Your system will only accept incoming SSH connections with an authorized SSH key. Open the SSH configuration file on your VPS server:
/etc/sshd/sshd_config
and change the PasswordAuthentication yes string to PasswordAuthentication no. After making this change, restart the SSH daemon.
systemctl restart sshd
and check that it has no problems
systemstl status sshd
In Summary
Securing your SSH connection with an SSH key pair and disabling password login is a fundamental security measure. This practice shields your server from various attacks, particularly those relying on brute-force and password-guessing tactics. Implementing these basic security measures helps ensure a more resilient defense for your VPS server.
[1]: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html