Setting Up A Linux VPS Securely (Pt.2)steemCreated with Sketch.

in cybersecurity •  last year

Welcome back to the second part of securing your Linux Server.

I won't talk about becoming a witness, or what a witness is, until I actually get to that part of the setup myself. This is about securing a server first. Sorry for mentioning the journey to becoming a witness too early, in the first post. So, I'm not becoming a witness yet. I'll mention it again when I actually get there ;)

As mentioned in Part 1, this part will deal with SSH keys to make your server even more secure.

Let's get it on!


Public and Private Keys for SSH

Again being on Windows, grab the PuttyGen.exe software. Click on that link and it will download. Open the program, nothing is installed.

generate-keyed3d7.png

Click on Generate, and move your mouse around the blank area under the status/progress bar. You will see the bar fill up as you move your mouse around. Keep going until the key is generated.

After that, you will get your keys. Copy the "Public key for pasting" into a file, call it pub_key.txt. Next, put in a "Key passphrase" if you want some extra security, but if you're the only one connecting to your server then it's not that big of a deal. Then click "Save public key", call it "pub_key". Then click "Save private key", and save it as "private.ppk".

generate-save724f2.png

So if you saved them like I named them, you will have three files:

pubkey.txt
pub_key
private.ppk


Install public key on server

Now that the keys have been generated on your local computer, it's time to upload the public key to the server so you can connect with it.

Open putty, load the profile, and Open the connection. Put your user password, and login. Remember, we're no longer logging in as root.

Do the follow commands

  1. mkdir ~/.ssh
    Make a hidden user directory

  2. chmod 700 ~/.ssh
    Modify the folder access

  3. cd ~/.ssh
    Go into the folder

  4. nano authorized_keys
    Create a file for the key, it has to be this name

  5. Open "public_key.txt" from before and copy it's contents. Then paste those contents into putty that has the file "authorized_keys" open. Save and close the file: ctrl+o or just ctrl+x and save the file before exiting.

  6. chmod 600 authorized_keys
    Set file access on thr public key so no other users can access it, except for root

ssh-dir962eb.png


Disable password logins

Open the sshd_config file:

sudo nano /etc/ssh/sshd_config

Scroll down with the arrow key, or hit Page Down twice, to find PasswordAuthentication yes

Change the "yes" to "no":

PasswordAuthentication no

Then restart the service:

sudo service ssh restart

ssh-password-yes4cfc3.png

Test SSH login with a key, instead of password

Open putty, and load your profile. Go to the left panel section, and go to the "Auth" section shown here:

putty-authfb735.png

Next, click "Browse" to find the "private.ppk" file we saved earlier.

putty-private-leyd7a70.png

The last thing to do is "Save" your profile in putty so that you don't need to do this again. Go to the top to "Session" and you can save again.

putty-savec88d4.png

And then just click "Open" to connect with your new SSH key.

If you are prompted to accept a key, click "Yes".

If you set a passphrase for your key earlier, then this when time you need to use it. If you didn't put a passphrase, then you login without using a password, and it's still more secure being it uses private-public keys.

rsa-prompt88d00.png

Remove IPv6 listening

Since no one really uses IPv6 yet, disable this and make one less thing your system is checking for.

AddressFamily inet needs to be added.

You can add this manually to the end of the sshd_config file @ nano /etc/ssh/sshd_config.

Or just run:

echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config

If you ever need IPv6 SSH back, remove that line.

Finish with a restart of SSH:

sudo service ssh restart


Done!


Thank you for your time and attention! I appreciate the knowledge reaching more people. Take care. Peace.

Payout Selected


If you appreciate and value the content, please consider:
Upvoting upvote91a69.png ,    Sharing share2195b.png and   Reblogging reblog33b5f.png below.

Follow me for more content to come!


@krnel
2016-11-28, 6:10am

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  Trending

Often I suspect this fetish of disabling IPv6 just hides the "we do not know how to secure IPv6". You give me inspiration to write a post like How to secure IPv6 in Linux....

·

Nice. I didn't know it was an issue. I thought it was disabled to make it one less thing to monitor for SSH.

This post has been ranked within the top 80 most undervalued posts in the second half of Nov 28. We estimate that this post is undervalued by $7.57 as compared to a scenario in which every voter had an equal say.

See the full rankings and details in The Daily Tribune: Nov 28 - Part II. You can also read about some of our methodology, data analysis and technical details in our initial post.

If you are the author and would prefer not to receive these comments, simply reply "Stop" to this comment.

Ok this is necro posting, but i do really suggest the clueless guys following this guide to first test they made the key thing work, then login and disable password logins...

I gave this guide to a windows noob and he locked himself out 3 times before getting it right lol.

FIRST: Test SSH login with a key, instead of password

THEN: Disable password logins

Just common sense... i never tought i will be writting this in a guide to setup a node for blockchain...

Hi, I want to disable the password login but I have a messsage "No supported Authentification methods available (server sent: publickey)" when I test it. I don't know if it's important but when I opened the config file, the line "PasswordAuthentication yes" was in comment so I had "#PasswordAuthentication yes" and I changed to "PasswordAuthentication no".
Do you have an idea of my issue? Thanks