---

In the previous post: https://steemit.com/it/@lynor/raspberry-pi-server-part-0-setup-and-ssh-access
a rasperry has been set-up and prepared for easy ssh access using a password.

Now imagine if we open up this raspberry to the wide world. Anybody could connect to it and just try out as many passwords as they please until they find a way to login and take over our nice little project.

For this reason we will generate our own ssh-keys, deactivate password login so only users with authorized keys can login, and setup fail2ban, a small service which keeps track of who is trying to login to our system and blocks connections made from IP-addresses which fail too many times

Let's get started!

---

Configure SSH-only access

Setup SSH Keys

The steps to take are described perfectly well on this page:
https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/

Still, I will describe them here once more just in case the website disappears some day.

start your git bash (or any other terminal that you will use), and let us use the ssh-keygen command to generate a private and public key pair which we will use for later access.

type:
ssh-keygen -t rsa -b 4096 -C "<your_comment>"

you can replace <your_comment> with anything, it is just a comment that should helpyou identify your ssh public key if it is copied into the same file with many other ssh public keys.

4096 rsa key size encryption has become popular lately, but you can use other sizes as well. an interesting short article about that can be found here: https://blog.josefsson.org/2016/11/03/why-i-dont-use-2048-or-4096-rsa-key-sizes/

Eventually you will be asked where to save the files, just press enter to save it in your .ssh/ folder in your home directory.
Finally, you will be asked to give a password for the ssh private key file. This is just a password which enables you to use the private key file in case it gets stolen.

When all is done you should get a randomart image of your key:

Just click enter, and you can jump into the folder with your ssh keys with

cd ~/.ssh

and check the files:

ls

You should see an id_rsa and id_rsa.pub

Now, you have to add this key to the authorized_keys file on your raspberry, so your raspberry will recognize you, when you try to login based on your ssh key.
There are several ways to do it, an easy way would be option 1:
ssh-copy-id [email protected]
This will copy your public key onto the server.

Option 2: I like to do it like this, even though it might seem more complicated:

cat ~/.ssh/id_rsa.pub | ssh [email protected] 'cat >> .ssh/authorized_keys'

This means that:

1. The content of your public key (cat ~/.ssh/id_rsa.pub)
2. will be taken (|)
3. and after login to your raspberry (ssh [email protected])
4. a command will be executed to append the that content to the end of your authorized_keys file ('cat >> .ssh/authorized_keys')

Now if we ssh to the server, only the password (if any was set) for the public key is asked, but not the passphrase for the user pi.

so let's check that file:

startup yout terminal or git bash (or cygwin or ...) and ssh into your raspberry

ssh pi@<ip-address>

replace <ip-address> with your raspberry pi's ip address. In my case it was: 192.168.0.136

Now output the content of the authorized_keys file with

cat ~/.ssh/authorized_keys

At the end of the public key you should find your comment which you added when generating the ssh keys.

Congrats, now you have configured ssh-access via public and private keys.

Now let us deactivate the password login, to make sure that really only you, with the only real private key, can login to your raspberry.

deactivate password login

For this, we have to edit a config file of the ssh daemon.

There are mainly two editors available, nano and vi. for now let us use the nano editor because it is simpler.
To open the config file type:
sudo nano /etc/ssh/sshd_config

In this file there is an entry with
#PasswordAuthentication yes
change it to
#PasswordAuthentication no

and press CTRL-X and ENTER to save and close the editor.

Now nobody can login as the user pi anymore, except they have one of the right keys inserted in the authorized_keys file

there is more info about configuring ssh on http://raspi.tv/2012/how-to-set-up-keys-and-disable-password-login-for-ssh-on-your-raspberry-pi

after all is set, restart the ssh daemon with:
sudo /etc/init.d/ssh restart
Or simply restart the raspberry with
sudo reboot
In both cases you will have to reconnect with the raspberry,

fail2ban

There is a very nice blog post which lays out all the necessary steps:
http://kamilslab.com/2016/12/11/how-to-install-fail2ban-on-the-raspberry-pi/

As before, I will describe all the steps once more on this page:

install fail2ban

sudo apt-get update
sudo apt-get install fail2ban

configure fail2ban

I have a slightly changed configuration file than suggested on the website

start editing your local fail2ban config file with:
sudo nano /etc/fail2ban/jail.local

[ssh]
sudo nano /etc/fail2ban/jail.local
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
bantime = -1
banaction = iptables-allports
findtime = 86400
maxretry = 3
usedns = warn

Explanations:

1. logpath: this path is important because we will watch the changes of this file. It shows us all authorized uses of command and login attempts on the rapsberry.
2. bantime = -1
   this means the after exceed the maximum limit of failed login attempts, and IP address is banned forever.
3. findtime = 86400
4. maxretry = 3
   Over a period of 24 hours, at most 3 login attempts are allowed to fail before permanently banning an IP address.

After setting the config fail, restart fail2ban
sudo service fail2ban restart

From now on the lgoin attempts are watched on.

If all went fine, this is generally a good start for a safe setup.
In general, now the port 22 can be opener on your router, with port forwarding (in my case port:22) directly to your raspberry.

Next time we will setup our terminal tool: tmux

Thank you!
Cheers!