Servers 101: Basic Server Security Part 3 (Key based login)

In the previous post of this series, we learned how to install and configure a firewall and fail2ban, in order to add a second step of security on our server.

In this post, we will configure our user to accept key-based connections.

---

Download PuTTYgen from the official page. Hint: it's located on the alternative downloads list, it's the second to last one
Alternatively, click here to download the file directly If the link is not working, please visit the first link, and locate PuTTYgen

Open puttygen.exe, and follow these instructions:

---

Generating the key pair

First, make sure that in the bottom of the puttygen window (the red-marked area in the photo above) the settings are these:

Type of key: RSA
Number of bits: 2048

Now, we have to generate the public & private key pair. Click the generate button (inside the yellow-marked area), and the "Key" area will tell you to move your mouse inside the blank area to generate some randomness. Do this until the progress bar fills up completely.

A few movements and seconds later, you will see a textbox saying "ssh-rsa" and then a string of random characters.

---

Saving the key

We now have a few more steps to follow before we save our keypair files.

• In the key comment textbox, write a comment, usually a small identifier for the keypair.
• You can optionally fill up a password (key passphrase & confirm passphrase).

Now, we can save the keypair. First, click the "Save public key" button, navigate to a folder you want to save your key, type in a name (you can use your servers hostname for example) and press "Save"
Then, do the same clicking the "Save private key".
You should keep this file a secret. Anyone who has the private key file can use it to login to your server. Also, do not forget your passphase, if you set one, as you will not be able to access your server!

---

Configuring your server

Grab the whole text from "key" textbox (right click into it, "Select all" and then copy it). We will put this inside our server's authorized_keys file.

Log into your server, for the last time using your user's password!

Create your .ssh folder, as it probably doesn't exists, then create the authorized_keys file inside it, and edit it:

mkdir ~/.ssh
chmod 0700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 0644 ~/.ssh/authorized_keys
sudo nano ~/.ssh/authorized_keys

You have copied the key from puttygen, so right click inside PuTTy to paste it inside authorized_keys.

It should start with ssh-rsa and end with the "Key Comment" you supplied in the second step.

Exit nano by saving the changes you made (Control+X, Y, Enter)

---

Configuring PuTTY

Remember in the first post of this series (Getting into your server), how I told you to create a profile? We are going to edit it.

If you didn't save it on start of the series, fill your hostname, your port and a name in the textbox just below "Saved Sessions" and skip the first step

1. In the "Saved Sessions" locate your session profile. Click it once, and then click the "Load" button on the right.
2. On the tree-menu (left side of the window), locate "Connection", and click the "+" sign in front of it to expand it. Just below "Connection", you will see an entry named "Data". Click it once, and on the "auto-login username" type your username, as in the image below:
   
3. On the tree-menu again, locate and expand SSH, and then locate "Auth". On the right side of window, click "Browse" and locate the private key you saved in the second step, as in the image below:
   
4. Once again on the tree-menu, go to session and click "Save".
5. Without closing the already open session, try to connect to your server. If you followed my steps correctly, you are ready!

Now you will only have to type your private key's passphrase on login, if you set one.

---

Disabling password logins

This is the final step on our tutorial. We have to disable password logins, otherwise all we did was in vain. We have to edit the SSH configuration:

sudo nano /etc/ssh/sshd_config

Locate the line saying "PasswordAuthentication". By default, the line reads "#PasswordAuthentication yes" on debian 9.

What you have to do is remove the "#", and change "yes" to "no".

The final result should be this:

PasswordAuthentication no

Exit nano by saving the changes you made (Control+X, Y, Enter)

And then restart the ssh daemon:

sudo service ssh restart

---

Some other settings you can change to take security a little step further:

• PermitEmptyPasswords no
  If a user has no password set, they won't be able to login to SSH
• PermitRootLogin no
  Won't allow the root user to login (make sure you have created a different user first, if haven't already!)
• AllowUsers yournormaluser
  Change yournormaluser to your username to only allow this username to login.

If you change anything, remember to sudo service ssh restart

Thanks to @slash-es for his input in the comments below! I forgot to include these.

---

Next time we will go ahead and talk about some commands you need to know, as well as setup some tools to monitor our bandwidth usage.

Thank you for reading. If you liked my small tutorial, or have any questions, feel free to leave a comment.

If you need a place to host your servers consider Vultr, Digital Ocean and BuyVM.

These are affiliate links. If you sign up through them, you support me and I will have more free time to write more content like this.

Also If you signup for Digital Ocean through my affiliate link, you will get $10 to try them out. Note: to battle abusers of this offer, you'll have to make a $5 deposit via Paypal or add your credit/debit card, so they can confirm that you are a new user. I did a deposit via Paypal to test them out, and then I added my credit card so I won't have to deposit money manually every now and then.

---

Also, I am running a witness server. Please consider voting me for a witness.

You can read my witness declaration here