To get this set up you will require to make some changes to the SSH configuration file. This how to was set upon Fedora (RedHat based distro) and other Linux distros might have the config file in a different locations so adjust accordingly or ask in comments and I try to assist as much as I can.
You can access the configuration file with your favourite text editor, I myself will be using VIM.
Since I did not set up any users I am logged into the server as root, I will create extra users as soon as one is required.
You will be presented with the config file, the lines we are going to concentrate on are:
The Port setting:
My (and I assume most of the other linux users) recommendation is to change this to a non default port. The first time I have set up my ssh access and opened the default (22) port on my router I have received around 360 break in attempts in less then 4 hours. I am not saying that changing the port will render your server 100% secure but will make it a little less visible to others.
For the purpose of this tutorial I have changed the port number to 2222, you are free to change it to one of your liking. I found that adding the extra line instead of un-commenting the one that was there to be a good idea. Helps to bring the config back to default much easier.
#Port 22 Port 2222
LoginGraceTime option is responsible for the time an unauthenticated session can be open. As well I would recommend changing this to something less then 2 minutes, there is no reason an authentication session should be open for that long. Around 30 seconds should be well enough for you to authenticate.
#LoginGraceTime 2m LoginGraceTime 30
A good idea is to disable the root login, you can always use su, su -c or sudo once authenticated with your server.
#PermitRootLogin yes PermitRootLogin no
Then we change the amount of failed attempts that can happen before the auth session closes, three should be well enough.
#MaxAuthTries 6 MaxAuthTries 3
Save the file and restart your ssh daemon.
Restarting sshd (via systemctl): [ OK ]
Now, since I have disabled the root login via SSH I will require a user that can avail of this as well as set up the password for him.
Changing password for user jondoe
passwd: all authentication tokens updated successful
We are almost ready to ssh back into the system with the newly created user and create the pair of public and a private ssh auth key.
Firstly we need to allow the port specified for the ssh access through the firewall, we do so by running:
and lets restart iptables with:
Restarting iptables (via systemctl): [ OK ]
As well if you are running SELinux you will be required to run this command:
Now lets ssh into the the server as the user and create a pair of auth keys:
The authenticity of host ‘[localhost]:2222’ can’t be established.
RSA key fingerprint is 47:c6:4f:da:da:4b:5a:da:e8:84:5a:ab:aa:55:2b:68.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘[localhost]:2222′ (RSA) to the list of known hosts.
[email protected]’s password:
Generating public/private rsa key pair .
Enter file in which to save the key (/home/jondoe/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/jondoe/.ssh/id_rsa.
Your public key has been saved in /home/jondoe/.ssh/id_rsa.pub.
The key fingerprint is:
The key’s randomart image is:
This will create the pair of keys and save it in the ~/.ssh/ directory under names id_rsa (private key secured by ) and id_rsa.pub (the public key).
Move the private key to a usb stick/portable HDD so you always have it with you and are able to access your server. We will now change name for the public key so ssh can use it
This will bring us back to the root prompt. It’s time to disable password authentication in the sshd_config. Again open it with you favourite text editor and look for the line “PasswordAuthentication” lines
# To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes
change the occurrence that has no # in front
save the file and restart sshd service again and you’re done. Next time you would like to ssh into your server from another linux box you will have to use the -i option and point to where your private key is, for example: