How to secure your ssh daemon?
- chose non-standart port (might not help a lot)
- disable possword login (only key authentication is allowed)
- fail2ban
If you don't think you need to harden your ssh daemon check out
sudo grep ssh /var/log/auth.log`
Create key pair
ssh-keygen
Copy public key to server
The easiest way is to use the command ssh-copy-id
. It's as easy as
ssh-copy-id user@example.com
Alternative: Copy Manually
Login to the server and append your public key file to ~/.ssh/authorized_keys
or alternatively open ~/.ssh/authorized_keys
with your favorite text editor and paste the line from your public keyfile into it.
You can even append your public key from your local machine by using something like this
ssh user@example.com "echo \" `cat ~/.ssh/id*pub` \" >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
Breakdown:
Login as user on example.com and execute the following: echo all public keys stored in my local hidden ssh directory and on the remote machine append it to the file authorized_keys. Finally, we set the correct permissions.
Change Configuration file
Turn off PasswordAuthentication by
echo "PasswordAuthentication no" | sudo tee -a /etc/ssh/sshd_config.d/local.conf
Of course you can also edit your /etc/ssh/sshd.conf
, but it's cleaner to preserve the default config file and create your own local file for defining deviation from default.
This has the advantage, that after a system upgrade your local configuration will be unchanged even if the default config file from the package changes.
Restart SSH Service
ATTENTION!!!
Make sure that you can connect via your key-pair before restarting the service.
Ideally have a second terminal open with a connection to the remote server incase you lock your self out!
After you've alter /etc/ssh/sshd_config.d/local.conf
or /etc/ssh/sshd.conf
restart the service to apply changes.
sudo systemctl restart sshd
*TADA*