How to Secure SSH Login on Your Linux Server
Generally it is not secure to allow remote root login. Additionally, using Password Authentication is also insecure. So… after setting up my server at [xxxx], the next step was to setup basic SSH login security.
I’ve had great success using RackSpace Cloud Servers, they are easy to setup and use (like this one, most of my linux based guides will use a Rackspace Cloud Server as a starting point). I will assume you have your server started and you are ready to begin at the command prompt. This guide uses an Ubuntu 10.04 LucidLynx LTS install, but these steps will work on most other Linux distributions.
Securing SSH Login
We will be using Public Key Authentication, so our first step will be to generate a public and private key. I recommend using PuTTYgen.
- Open PuTTYgen and click the “Generate” button
- Move your mouse (PuTTYgen uses random mouse movement to generate a public and private key)
- Enter in a “Key Comment” (this text will appear each time you login via SSH, something like “Authenticating with public key: YOUR KEY COMMENTS”)
- Keep the PuTTYgen window open…
Before we get ahead of ourselves, we will need to create a new user account:
useradd -s /bin/bash -m yourname
We will also add this user to the sudoers list, open up the sudoers file with the following:
Now find and change the following line…
root ALL=(ALL) ALL
root ALL=(ALL) ALL yourname ALL=(ALL) NOPASSWD: ALL
Save the file by: pressing CTRL+X then typing “y” and pressing RETURN … or similar depending on the editor used.
The above gives the
yourname user all sudo privileges and will also not require the user to enter a password each time they try to use a privileged command.
If you’re working in a public space, you may want to always be prompted for a password when you use
sudo. To do this, just remove
NOPASSWD:. Remember, you must also set a password for the
yourname user account with the following command:
.ssh directory in the
yourname user home directory (this is where the
authorized_keys file will be stored).
At this point, we will be using
vim to create/add the public key to the
authorized_keys file, so here is a quick primer on using
Open files with the following command:vim /path/to/the/file
Once you’ve opened a file, enter editing mode by pressing
i. You will now be able to make changes to the file.
directional arrowson your keyboard to navigate.
When you are finished editing press
ESC, this will exit the editing mode. To save the file enter
:wq(write and quit).
If you want to exit without saving, enter
Now you must create the
Enter editing mode and copy the public key from the PuTTYgen window and paste it into the open
authorized_keys file in
vim. Save and exit the file.
authorized_keys file format is that of one public key per line for each user. Below is a sample file, note the
ssh-rsa prefix followed by a space and then the public key (all on a single line, no line breaks). Additionally note the comments prefixed with
# user: john ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAsyQ/ZOQqivsRbZze6bn3P63ZmlqiKD8sL/eqayqG9Mg5iONT/7F8ZX5XmOdDSoSNtlSeuHNgUo+ePenoQ/3w3gZqL922Dmqvi/XclTUh0rde82QBKz4GtnIUQO8Z4XHAya3ZNHW9DAQm8s7LXW/sObkNyqlFf0pz/MIsHKj8xmE= # user: davidrussell ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEApwFQWa9G0FX7M+uSi8ipny0+C14lPFZtdFLj2rT5FNbUcat6BNswFt4Ys97celZ1HiuMGjyAIPDO1B290SSXGOWV/hwhNlMG080yjXbj0BC/5qNim9eDXJHqq0knFbIsHvcOZ9SepVp9q6SuqXuSQ6AXmMed3ZRm2ig7DiqDHVM=
Lets finish up using PuTTYgen by clicking the “Save Private Key” button, for added security you may choose to add a password to the private key (in addition to the secure login with your private key file, you will also be prompt for your private key password). We are done with PuTTYgen.
Now for the finishing touch, we need to edit the
First, a good security tip is to change the standard SSH listening port from 22 to something else [xxxx]. To do this find the following line:
And change it to (xxxx being the port number) …
Second, confirm that the following lines are set to “yes”…
RSAAuthentication yes PubkeyAuthentication yes
Before adjusting the following lines, you may want to skip to Testing Your Login and test that the Public Key Authentication works properly, before you disable root login and Password Authentication.
Now, find the following lines…
PermitRootLogin yes PasswordAuthentication yes
and add/change them to…
PermitRootLogin no PasswordAuthentication no
Testing Your Login
For all your settings to take effect you must restart ssh:
Now, logout and then login … remember you will now need to use your private key when logging in with SSH (I am use PuTTY) To set your private key with PuTTY, in the Category options tree, select: Connection > SSH > Auth … use the “Browse” button and select the
private.ppk you saved from PuTTYgen.
Now try to login with the
yourname user account, you should be presented with a message similar to: “Authenticating with public key: YOUR KEY COMMENTS”.
If you’ve setup a password for your private key, then you will be prompted to use it during login.