Securing SSH Access to your VPS is imperative these days. Within minutes of your VPS being live on the internet, ‘bad actors’ will attempt to gain access. Having a good IPTables firewall in place is an important step, but you still need to secure the services you leave open through that firewall.
In a previous tutorial we covered the various ways you can access your VPS. We covered alot of Do’s and Don’ts but in this tutorial we will take it one step further by showing you how to Secure SSH and implement key based Authentication.
Securing SSH
The first step is Securing SSH by changing a few default settings in /etc/ssh/sshd_config.
First you need to disable root logon via SSH. Leaving root access open will leave an avenue open for ‘bad actors’ to attempt to brute force your root password. Disabling root access is simple. Simply uncomment the following line in /etc/ssh/sshd_config and change the option to no.
PermitRootLogin no
Setup SSH Key Based Authentication
The next step is setting up SSH Key based Authentication. By Default, at least in CentOS, key based authentication is enabled. You just need to generate your SSH key if you do not already have one. In this example we will use two CentOS Systems running OpenSSH. We will call one “Server” and one “Workstation”. Key Based Authentication will be setup so user “bob” can access his “Server” from his “Workstation”
On the “workstation” system, generate your SSH keys as user “bob”.
[root@ cent5 ssh]$ ssh-keygen -t rsa -b 2048 Generating public/private rsa key pair. Enter file in which to save the key (/home/bob/.ssh/id_rsa): Created directory '/home/bob/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/bob/.ssh/id_rsa. Your public key has been saved in /home/bob/.ssh/id_rsa.pub. The key fingerprint is: df:24:26:75:c2:fc:6a:ff:8a:e1:00:6e:87:35:44:5f root@ cent5 The key's randomart image is: +--[ RSA 2048]----+ | . E | | . + . | | . * . | | . . + | | . S o o | | . + = = | | + o = . | | . . + + | | o oo. | +-----------------+ [root@ cent5 ssh]$
This generated a 2048 bit key pair in bob’s home directory under .ssh/ called /home/bob/.ssh/id_rsa and /home/bob/.ssh/id_rsa.pub respectively.
The .pub file is your public key. You will place this in the “authorized_keys” file on the server. The file called id_rsa is your PRIVATE KEY! Do no, repeat DO NOT, give this key to anyone. Just as you would not give out your password, you should not give anyone access to this key. You do however need to have this private key in your .ssh directory if you want SSH to use it. So if you have multiple workstations you will need to copy your private key to the workstations you will use it from.
So the next step is to add your PUBLIC key to your account’s “authorized_keys” file on the Server. To do this, first “cat” the public key and copy the data to your clipboard. Next SSH to the server and logon with your password. If the .ssh directory does not exist on the server run “ssh-keygen” there and it will create the directory there. Then paste your PUBLIC key data into “authorized_keys” like this:
</pre> [root@ cent5 .ssh]$ cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0j3Fj19q+APXXr53OyyIB2hPdpjVwMtiZAWkQpeSMF16hyMDmKKRwRApSVLVIb9uVAKpm8ymyR/YP4PIHxldSAEZawVr9l4n9lUpVeiTIwS5jeT0zuE1rbNwrDs7WLO7ReWjRhivc3tuxSVTPOnzI6VuN9BtPabkPJHCvZR3Uln6rqAFtfRspsWaA3Pwl7+qUgYDUq5/ddqWbhllk3Ex9FPm7F8Lj6bLUsNHlFv0iRaywcBt38+a/z8UjCQh13iuaQsBfFwQ5bQTaTzyxH3sL1ePk5HPcLrAgxsTh2S7O5kd09ecHjVJN0WTbJucjcyxaSNbUKFiEqc3t2JjjDJgHQ== root@ cent5 [root@ cent5 .ssh]$ {COPY key data stating with "ssh-rsa" through "workstation"} [root@ cent5 ssh]$ ssh root@ cent5 root@ cent5's password: root@ cent5 [~]# root@ cent5 [~]# ssh-keygen -t rsa -b 2048 Generating public/private rsa key pair. Enter file in which to save the key (/home/bob/.ssh/id_rsa): Created directory '/home/bob/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/bob/.ssh/id_rsa. Your public key has been saved in /home/bob/.ssh/id_rsa.pub. The key fingerprint is: 26:6f:50:2d:36:d0:d5:04:6c:71:77:0d:e3:67:b2:6b root@ cent5 The key's randomart image is: +--[ RSA 2048]----+ | .. o+=o +.o| | ...o..o o.| | =.. o o| | o o = | | o S . | | = . | | o E | | . . | | | +-----------------+ root@ cent5 [~]# cd .ssh/ root@ cent5 [~/.ssh]# ls ./ ../ id_rsa id_rsa.pub root@ cent5 [~/.ssh]# vi authorized_keys {PASTE KEY DATA on a new line, SAVE, and EXIT}
Next you need to set the proper permissions on the authorized keys file. Set it to be readable and writeable by only you.
root@ cent5 [~/.ssh]# chmod 600 authorized_keys root@ cent5 [~/.ssh]# ls -ltrh total 20K -rw-r--r-- 1 bob bob 407 Aug 11 13:09 id_rsa.pub -rw------- 1 bob bob 1.7K Aug 11 13:09 id_rsa drwx------ 6 bob bob 4.0K Aug 11 13:11 ../ -rw------- 1 bob bob 403 Aug 11 13:15 authorized_keys drwx------ 2 bob bob 4.0K Aug 11 13:15 ./ root@ cent5 [~/.ssh]#
SSH Key Based Authentication is now setup between “Bob’s” “Workstation” and “Servers”. Disconnect your SSH session and reconnect. Now you will no longer be prompted for your password.
root@ cent5 .ssh]$ ssh root@ cent5 Last login: Sun Aug 11 13:14:43 2013 from 199.231.190.21 root@ cent5 [~]#
Also since we disabled direct root access over SSH you need to be able to still get root access. Luckily Bob was previously added to the group “wheel” in /etc/group by another Administrator. Since that is done, Bob can simply ‘su’ to access the root user and do what he needs to do as an Administrator.
root@ cent5 [~]# su Password: root@ cent5 [/home/bob]#
Thats all there is to it. Now you can securely access your VPS over Securely over SSH with Key Based Authentication.