In the previous article, we have listed some of the important things that you need to know about VPS security. In this second part, we’d like to dig a little bit deeper for securing your SSH.
SSH (secure shell) is a protocol to securely connect to your VPS over a non-secure network. Means, even if you are on a public wifi, your connection to the server will always be encrypted. We always put SSH security on the top of our security checklist because it is the most important thing to secure. If an intruder can gain access to your SSH, then he most likely will be able to read your files, put some malware, execute some commands, even use your computer resources for bitcoin mining or downloading illegal contents.
There are some prerequisites before we can change the config. All of the commands below need to be executed as root / sudo user.
First, you need to make a new user that we can allow them to SSH to the server, then we can disable root user login. So, let’s create a new user:
adduser john #adding user called John, follow the step and set the password
Then, generate a new SSH keypair for that new user. Remember that we’re gonna disable password-based SSH login. The SSH user needs to use the SSH key to login to the server.
su john #login as the new user John
ssh-keygen #and follow the prompts
Now you have the user and his keypair. Next, we’re gonna change the SSH config to secure it. There are at least three things that we normally do to ensure SSH security. What we’re really gonna do in this article is to edit /etc/ssh/sshd_config. Pretty simple.
So you can edit the config file:
vim /etc/ssh/sshd_config (or use any other text editor that you love) then, add these configurations below, or replace the existing ones (if any).
PermitRootLogin no #disabling SSH login for root user
PasswordAuthentication no #disable password-based authentication
Port 23232 #you can change port number to anything here
Lastly, restart the SSHD service and you’re done!
systemctl restart sshd.service
Now you can test SSH login. Copy the private key that you generated on the server to your local machine. The file is usually located at /home/username/.ssh/id_rsa, so in this tutorial it should be /home/john/.ssh/id_rsa. Copy the content and put it somewhere in your local machine.
Then, try to login via ssh:
ssh john@your_domain_or_ip_address -p 23232 -i /path/to/your/copied/private/key
Now your SSH should have better security! Keep in mind not to share your private key to anyone.