Contents
- Disabling SSH login via the root user
- Changing default sshd port
- Generating RSA SSH keys on the local machine
- Copying RSA.pub key to the server
- Disabling plain-text password logins (enforcing RSA key usage)
- Setting up Uncomplicated Firewall UFW
/!\ Keep an open ssh session on a second terminal in case you get locked out when changing sshd
settings.
Server: Disable SSH Login for the Root User
- If you don’t have a user (besides
root
), see this for user creation instructions.
cat /etc/sudoers
to verify whether your user is present in file, either by group or exclusively. nano /etc/ssh/sshd_config
Ctrl+W
forPermitRootLogin
- Uncomment line and switch to
no
- Restart SSH daemon:
systemctl restart sshd
- Test with a
root@server
login.
Server: Change Default SSH Port
- Login to remote.
- Confirm current
sshd
port (default is 22):
netstat -tulnp | grep ssh
nano /etc/ssh/sshd_config
Ctr+W
forPort 22
- Uncomment line and set desired port number.
- Restart SSH daemon:
systemctl restart sshd
- Verify port change:
netstat -tulpn | grep ssh
(i) Connecting to a custom port from the client:
ssh -p 22000 user@192.168.1.100
Client: Generate SSH RSA Keys
Used in this step: SSH-keygen Returns Error on Key Creation “No Such File or Directory”
- Take note of existing SSH keys:
ls -l ~/.ssh/id_*.pub
- Generate RSA keys:
ssh-keygen -t rsa -b 4096 -f /path/to/key -C "note for reference or contact details (optional)"
- Follow steps for RSA key generation.
- Verify key generation:
ls ~/.ssh/id_*
; if successful, returns 2 files.
Client: Copy RSA Public Key
ssh-copy-id -p <port> -i <path/to/.pub/file> remote_username@server_ip_address
(i) use-n
for a test run- Enter remote user pass.
- Receive confirmation for key change.
Server: Disable Plain-Text Password Authentication Over SSH
- Check
sshd_config
for overrides:
cat /etc/ssh/sshd_config | grep -i passwordauthentication
sudo nano /etc/ssh/sshd_config
Ctrl+W
forpasswordauth
- Uncomment line and set to
no
- Restart SSH service:
sudo systemctl restart ssh
- Verify:
- Close connection.
- Move RSA keys out of local
~/.ssh
- Log back in with
ssh -i <identity name>
- Expected response:
Permission denied (publickey).
(i) by default, ssh
connects using ~/.ssh/id_rsa
. Use -i
to connect using the right RSA key.
Server: Install/Run and Configure UFW (Uncomplicated Firewall)
- Check if UFW is present:
sudo ufw status
if not present:sudo apt get install ufw
- Get overview of ports:
netstat -tulpn
- Open/close ports with
ufw allow <port>
andufw deny <port>
- Verify firewall configuration with nmap:
nmap -p- <server ip>
for ports 1 through 65535
ornmap -p <comma-separated list of ports> <server ip>
- Install relevant software and repeat 2. to 4.
References
- HOW DO I DISABLE SSH LOGIN FOR THE ROOT USER?
- How to Change SSH Port in Ubuntu 18.04
- How to Use SSH Public Key Authentication
* note more advanced use cases at the bottom of the article - How to Set Up SSH Keys on Ubuntu 20.04
- UFW – Community Help Wiki
- Ubuntu Manpage: ufw – program for managing a netfilter firewall
Did this solve your issue?
THIS WORKED FOR ME. HELP OTHERS BY VOTING HOW IT WORKED FOR YOU.
RIGHT NOW THIS HAS HELPED 0% WEBSITE VISITORS.
TOTAL VOTES: 0
RIGHT NOW THIS HAS HELPED 0% WEBSITE VISITORS.
TOTAL VOTES: 0