SSH, or Secure Shell, stands as a pivotal encrypted protocol facilitating communication and administration with servers. This protocol is familiar to those with prior experience managing Linux servers or Virtual Private Servers (VPS). When accessing Linux servers via SSH, various methods exist, with one prevalent option being the utilization of a username and password combination.
To exemplify, in your local terminal window, you would issue the following command:
ssh username@remote_host_name
For instance:
ssh admin@server_ip
Subsequently, the system prompts for a password:
admin@server_ip's password:
At this juncture, you provide the requisite password to authenticate and gain access to the server.
One notable issue with the aforementioned approach lies in its susceptibility to brute force attacks, where attackers attempt to gain unauthorized access to your server by systematically trying various password combinations. Particularly concerning for VPS owners is the potential for such attacks when password login is permitted.
A viable method to monitor such activities involves examining the authentication log. In Ubuntu, this log file can typically be found at: /var/log/auth.log . Within this file, you should pay attention to entries such as:
Mar 2 11:26:19 122 sshd[301343]: Invalid user zzz from 185.45.36.232 port 54638
Mar 2 11:26:19 122 sshd[301343]: Received disconnect from 185.45.36.232 port 54638:11: Bye Bye [preauth]
Indeed, the presence of such entries in the authentication log indicates potential attempts by unauthorized entities to access your VPS.
For optimal VPS security, it’s highly recommended to disable password-based authentication entirely. Instead, employing public key-private key pair-based authentication offers a robust alternative. Below, I elucidate the process in detail:
- Step 1 – Generate Key Pair: Firstly, you generate a cryptographic key pair on your local machine. This comprises a public key, which can be shared, and a private key, which must be safeguarded.
- Step 2 – Copy Public Key to Server: Subsequently, you transfer the generated public key to your VPS. Typically, this involves appending the public key to the ~/.ssh/authorized_keys file on the server.
- Step 3 – Authentication using private key: When initiating an SSH connection to your VPS, your local SSH client presents the corresponding private key as authentication. The server, in turn, verifies this authentication using the associated public key stored in its authorized keys list.
- Step 4 – Disable Password-Based SSH Login
By embracing this method, you significantly fortify the security of your VPS against unauthorized access attempts, ensuring that only authorized individuals possessing the private key can gain entry.
Step 1: Generate Key Pair
SSH key pairs consist of two cryptographically secure keys utilized for authenticating a client to an SSH server. It’s imperative to safeguard the private key on the client side and treat it as highly confidential. Under no circumstances should the private key be shared with others, as unauthorized possession of the private key would grant access to the server.
The public key, on the other hand, can be safely distributed for authentication purposes.
Utilize following command to generate key pairs
ssh-keygen -t rsa -b 4096 -f ./id_rsa
This command generates key pairs within the current directory. Upon execution, two files are generated:
id_rsa: Private key
id_rsa.pub: Public key
It’s recommended to opt for RSA-type keys with a key length of 4096 bits. Additionally, providing a passphrase for the private key during key generation enhances security. In the event of unauthorized access to the private key, the passphrase serves as an additional layer of protection, mitigating the risk of unauthorized server access.
Step 2: Copy Public Key to Server
To facilitate authentication using the generated public key, it must be copied to your server. Execute the following command to accomplish this task:
ssh-copy-id -i ./id_rsa.pub server_username@server_ip
In the above command replace server_username with your username on the server and server_ip with the IP address of your server. Upon execution, this command will display output resembling the following:
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: “./id_rsa.pub”
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed — if you are prompted now it is to install the new keys
ubuntu@77.77.88.99’s password:
Number of key(s) added: 1
Step 3: Authentication using private key
With the public key now securely stored on the server, you can authenticate yourself using the corresponding private key. Follow this command to access your server:
ssh user@server_name -i /home/keys/id_rsa
Replace user with your username on the server, server_name with the name or IP address of your server, and /home/keys/id_rsa with the file path to your private key.
Note that after the -i flag, the command specifies the location of the private key. This ensures that the SSH client uses the correct private key for authentication. By including the private key in the command, the SSH client knows which key to use when connecting to the server, streamlining the authentication process.
Step 4: Disable Password-Based SSH Login
Before proceeding with this step, ensure that your private key-based login is functioning correctly. Once verified, it’s prudent to disable password-based SSH login for enhanced security. Follow these steps:
Access the SSH Configuration File: Log in to your server and edit the SSH configuration file located at /etc/ssh/sshd_config.
Edit the Configuration: Locate the PasswordAuthentication parameter within the file and set its value to no. If there’s a # sign at the beginning of the line, remove it to uncomment the line.
For example
PasswordAuthentication no
Save Changes: After making the necessary edits, save the file.
Restart SSH Service: To apply the changes, restart the SSH server daemon using the following command:
sudo systemctl restart ssh
By disabling password-based SSH login, you enforce the use of public key authentication, thereby bolstering the security of your server against unauthorized access attempts.