Add securing ssh section
This commit is contained in:
parent
e6bf19e377
commit
eb2f9e2782
4 changed files with 116 additions and 0 deletions
|
@ -26,6 +26,122 @@
|
||||||
- Disable root login
|
- Disable root login
|
||||||
- SSH Keys
|
- SSH Keys
|
||||||
|
|
||||||
|
|
||||||
|
### Securing SSH
|
||||||
|
Used by servers and their administrators across the world to talk to one another, if someone manages to get in who isn't supposed to, they could do all kinds of damage!
|
||||||
|
|
||||||
|
The first, and easiest thing we can do it improve security is to prevent the `root` user logging in. We already have a non-root account that we use `sudo` with, so why allow direct access to `root` at all? Edit `/etc/ssh/sshd_config`, finding the line that says something like this:
|
||||||
|
|
||||||
|
```config
|
||||||
|
PermitRootLogin yes
|
||||||
|
```
|
||||||
|
|
||||||
|
....and change it to
|
||||||
|
|
||||||
|
```config
|
||||||
|
PermitRootLogin no
|
||||||
|
```
|
||||||
|
|
||||||
|
You may need to uncomment the line by removing the `#` symbol preceding it.
|
||||||
|
|
||||||
|
Once done, restart the ssh server like so:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo systemctl restart ssh
|
||||||
|
```
|
||||||
|
|
||||||
|
Your configuration might be slightly different (e.g. it might be `PermitRootLogin without-password`) - but the principle is the same. This adds an extra barrier to getting into your server, as now attackers must not only guess your password, but your username as well (some won't even bother, and keep trying to login to the `root` account!).
|
||||||
|
|
||||||
|
#### Key-based authentication
|
||||||
|
So we've created a new user account with a secure password (tip: use a password manager if you have trouble remembering it :-)) and disabled root login. Is there anything else we can do? Turns out there is.
|
||||||
|
|
||||||
|
Passwords are not the only we can authenticate against an SSH server. Public private keypairs can be used too - and are much more secure - and convenient - than passwords if used correctly. They are a pair of files on your computer, which are used when you try to login instead of a password. Without the private key, you can't login.
|
||||||
|
|
||||||
|
The exact way you do this depends on the operating system of the local machine you are using to connect to your server.
|
||||||
|
|
||||||
|
##### For Linux users
|
||||||
|
_If your **local machine** is a Linux computer, then this is the section for you. If your local machine is a **Windows** computer, then skip this section and move onto the one below entitled "For Windows users"._
|
||||||
|
|
||||||
|
If you are using Linux on your _local machine_ generate your own public-private keypair like so:
|
||||||
|
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ssh-keygen -t ed25519
|
||||||
|
```
|
||||||
|
|
||||||
|
It will ask you a few questions, such as a password to encrypt the private key on disk, and where to save it. Once done, we need to tell `ssh` to use the new public-private keypair. This is fairly easy to do, actually (though it took me a while to figure out how!). Simply edit `~/.ssh/config` (or create it if it doesn't exist), and create (or edit) an entry for your ssh server, making it look something like this:
|
||||||
|
|
||||||
|
```config
|
||||||
|
Host {bobsrockets.com}
|
||||||
|
Hostname {ip_address}
|
||||||
|
Port 22
|
||||||
|
IdentityFile {path/to/private/keyfile}
|
||||||
|
```
|
||||||
|
|
||||||
|
Change `{bobsrockets.com}` to a short name that's easy to remember. You'll be able to SSH into your server later with `ssh short_name`.
|
||||||
|
|
||||||
|
Change `{ip_address}` to match the IP address of your server (or, if you're lucky enough to have a domain name pointed at your server, use that instead).
|
||||||
|
|
||||||
|
It's the `IdentityFile` line that's important - replace `{path/to/private/keyfile}` with the path to your key file (e.g. `~/.ssh/id_ed25519`).
|
||||||
|
|
||||||
|
With `ssh` configured, we can use a handy little utility called `ssh-copy-id` to copy the SSH public key to the server. Do that like this:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ssh-copy-id `{username}@{hostname}`
|
||||||
|
```
|
||||||
|
|
||||||
|
Where `{username}` is the username of the new user account you created earlier, and `{hostname}` is the short code from before when you editing your `~/.ssh/config` file.
|
||||||
|
|
||||||
|
|
||||||
|
##### For Windows users
|
||||||
|
_If your **local machine** is a Windows computer, then this is the section for you. If your local machine is a **Linux** computer, then skip this section and move onto the one below entitled "For Windows users"._
|
||||||
|
|
||||||
|
This section will assume that you are using [PuTTY](https://putty.org/) to connect via SSH to your server. Content in this section is taken from [this DigitalOcean tutorial](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/create-with-putty/).
|
||||||
|
|
||||||
|
|
||||||
|
Start the PuTTYgen program through your Start Menu, or by launching the `puttygen.exe` portable executable. The key generation program looks similar to this:
|
||||||
|
|
||||||
|
![A screenshot of PuTTYgen.](images/puttygen.png)
|
||||||
|
|
||||||
|
_(Above: A screenshot of PuTTYgen. Taken from [this DigitalOcean tutorial](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/create-with-putty/).)_
|
||||||
|
|
||||||
|
Set the key type to _ED25519_, and click the generate button.
|
||||||
|
|
||||||
|
You might be prompted to "generate some randomness by moving the mouse over the blank area". This randomness, known as _entropy_, is used to create keys in a secure fashion so that other people can't reproduce them.
|
||||||
|
|
||||||
|
![A screenshot of PuTTYgen generating some randomness.](images/puttygen-randomness.png)
|
||||||
|
|
||||||
|
When the key is generated, you’ll see the public key displayed in a text box. Save this somewhere safe for later. Be sure to scroll within the text area so you copy the entire key.
|
||||||
|
|
||||||
|
Next, you’ll be prompted to enter a passphrase for your SSH key. This improves security by preventing someone who gains access to your private key from using it without also knowing the passphrase. You’ll need to provide your passphrase every time you use this key (unless you use SSH agent software that stores the decrypted key).
|
||||||
|
|
||||||
|
![A screenshot fo PuTTYgen asking for a password.](images/puttygen-password.png)
|
||||||
|
|
||||||
|
When you’re done, click the "save private key" button and select a secure location to keep it. You can name your key whatever you’d like, and the extension `.ppk` is automatically added.
|
||||||
|
|
||||||
|
If you have not entered a passphrase, you will be asked to confirm that you want to save the key without one. We strongly recommend using a passphrase, but you can press enter to bypass this prompt.
|
||||||
|
|
||||||
|
Next, you need to tell your server about your new SSH key. This is done by editing the `~/.ssh/authorized_keys` file. Do that like this:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nano ~/.ssh/authorized_keys
|
||||||
|
```
|
||||||
|
|
||||||
|
Paste in your public key that saved earlier. Save it and exit, and then ensure it has the correct permissions like so:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
chown -R username:username ~/.ssh
|
||||||
|
chmod 0700 ~/.ssh
|
||||||
|
chmod 0600 ~/.ssh/*
|
||||||
|
```
|
||||||
|
|
||||||
|
...replacing `username` with the username of the account you created earlier.
|
||||||
|
|
||||||
|
Now, try opening a new instance of PuTTY and logging into your server with the public key. Before hitting the login button, go to "Connection" -> "SSH" -> "Auth" and select your `.ppk` file.
|
||||||
|
|
||||||
|
If all is well, you should now be logged in with your new public/private keypair.
|
||||||
|
|
||||||
|
|
||||||
### Setting up a firewall
|
### Setting up a firewall
|
||||||
Firewalls control how data is allowed to travel in and out of your computer. In Ubuntu, a firewall called `ufw`, the 'uncomplicated firewall' is already present. It acts as a nice front-end to `iptables`, which I find to be difficult to understand and use. We will be using that as our firewall. If for some reason it is not installed already, install it like so:
|
Firewalls control how data is allowed to travel in and out of your computer. In Ubuntu, a firewall called `ufw`, the 'uncomplicated firewall' is already present. It acts as a nice front-end to `iptables`, which I find to be difficult to understand and use. We will be using that as our firewall. If for some reason it is not installed already, install it like so:
|
||||||
|
|
||||||
|
|
BIN
Linux-201/images/puttygen-password.png
Normal file
BIN
Linux-201/images/puttygen-password.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 17 KiB |
BIN
Linux-201/images/puttygen-randomness.png
Normal file
BIN
Linux-201/images/puttygen-randomness.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 4.3 KiB |
BIN
Linux-201/images/puttygen.png
Normal file
BIN
Linux-201/images/puttygen.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 12 KiB |
Loading…
Reference in a new issue