SSH Guide for Linux VPS
How to Securely do SSH
If you’re new to administering a Linux VPS via the command line, then this guide is for you. If you’re doing an email server, chat, or something else it really doesn’t matter. These same principles will apply. Btw this guide assumes you’re using Linux on both your home computer and the VPS.
Why SSH
Twitter is a password, while Nostr is encryption as identity. Using this same concept, SSH is a secure tunnel using encryption as identity for security.
SSH keys prevent some types of man-in-the-middle attacks better. So the NSA unplugs a router on the way to your VPS host, and they insert their PC with the new IP address. You get a warning “THIS IS A NEW SSH KEY”, but you proceed to ignore it and enter your password to the NSA.
But if you SSH key sign, then you’re signing into a fake box, but they don’t get the private key. Only a sign to that unique challenge. A dude on the ServerFault forums worded it nicely:
ssh keys prevent man in the middle based attacks on your password. when you attempt to login with a key the server will construct a challenge based on your public key and send it to your client. which will decrypt it and construct an appropriate response to send. Your private key never gets sent to the server and anyone listening in is unable to do anything except intercept that single session. with a password they would have your credentials."
Generate Keys
You do this on your local computer, and NOT the VPS,
ssh-keygen -t rsa -b 4096
Name it “id_rsa2” and pick a strong password which you can save and generate in KeePass locally.
Bitwarden & Proton are garbage, because it stores it on the cloud. Even if encrypted, there is no need for this risk. Some people will say, “oh but I like multiple device support”. And my response is “for SSH?! SSH from your PC and that’s it.”
The key files should be in whatever folder you picked from the command, but if you can’t find them try your home folder,
cd
ls
You’ll see id_rsa2 and id_rsa2.pub,
id_rsa isa_rsa2.pub
The pub file is the PUBLIC key, and the one without it is the private. Make sure both are in the .ssh folder, if not then copy them there,
cp id_rsa2 .ssh
cp id_rsa2.pub .ssh
Now run the “cat” command to get the output of the public key, so we can put it on the VPS,
cat id_rsa2.pub
This will output the SSH public key, we WILL copy-paste that in the future, but first open a 2nd terminal to get into the VPS,
On the VPS add It
Now ssh into your VPS with the password they gave you, using the -v flag for verbose,
ssh -v root@your-IP
On the VPS, go to the authorized keys file,
sudo nano .ssh/authorized_keys
Copy-paste the PUBLIC SSH key from your cat command above.
Now we have to activate public keys to be allowed. To do so, go to the SSH config file,
sudo nano /etc/ssh/sshd_config
Scroll down to uncomment,
PubkeyAuthentication yes
Now we have to restart the SSH server for it to take effect,
sudo systemctl restart ssh
Let’s test this, while you still got the terminal window open, so you don’t get locked out. Open a 2nd terminal on your home PC, and try to SSH in,
ssh -v root@your-IP
It should prompt you for the SSH key password, and NOT the VPS root password. If it doesn’t, then you did something wrong. Try to double-check the config and restart it. Make sure your keys are in the .ssh folder, and they have the right permissions.
Enter password for 'id_rsa2':
Key Permission Issues
It’s possible that some VPS will have issue with loose security settings, and in this case, you need to modify the key security on your local PC,
chmod 600 ~/.ssh/id_rsa2
Wrong Key Issues
It’s possible that some VPS will check for “id_rsa” and NOT “id_rsa2”, this is why I recommend the -v flag so you can see what key is being offered and rejected.
Setup a Linux User
Now we want to avoid using the root user for SSH into the VPS. This is to make it more difficult to get root access, which is the most privileged access.
Make a User
First, we’re going to make a user, here I named it “userbro”, but pick your own name that’s long random characters (save it in keepass)
useradd userbro
If the command “useradd” is not found, then make sure you’re root, or try this if given an error,
sudo apt install passwd
Now we’re going to make a home directory for this user,
mkdir /home/userbro
Then give that user rights to his own folder,
chown userbro:userbro /home/userbro -R
Then we have to allow this user to even do commands, first open the file,
nano /etc/passwd
Scroll down to the end with the user, (or hit control + end) and then edit the end of the line from “bin/sh” to “bin/bash”. Obviously your user is going to be named differently.
FROM THIS:
userbro:x:1000:1000::/home/userbro:/bin/sh
TO THIS:
userbro:x:1000:1000::/home/userbro:/bin/bash
Then again for nano, to exit it’s control + x, then “y” for yes to save.
Set Password
Now we’re going to set a password for this user,
passwd userbro
Then add him to the “sudo” group, which lets him run commands with root privileges,
usermod -aG sudo userbro
You might be wondering what’s the point of this? Why not just use root then? Well if the user does SSH into the VPS, now they need ANOTHER verification with the sudo password to do stuff. So it’s a second layer of protection.
Now this user needs an SSH folder,
mkdir /home/userbro/.ssh/
And we’re going to put your public SSH key in there,
nano /home/userbro/.ssh/authorized_keys
Copy-paste the public SSH key in, and control + x to exit nano. Then “y” for yes to save it.
Now is your big moment, try to SSH in with the user and his key,
ssh -v userbro@your-ip
It should work, if not double-check all the steps above and the key is in .ssh folder with the correct permissions and password.
Disable Passwords & Root SSH
Now if we really want to take our security game to the next level, we’ll disable password authentication all together. This forces the attacker to have both an SSH key, and the sudo password to do much.
First, let’s go back into that SSH config,
nano /etc/ssh/sshd_config
And set password authentication to “no”
PasswordAuthentication no
Also, while we’re here, let’s disable root SSH access, so the attacker has to use a user SSH key, and then know sudo pass also,
PermitRootLogin no
Then restart SSH server,
sudo systemctl restart ssh
While you still got it open, try to SSH in first as a user without the ssh key in that folder. Then as root. And finally as the correct user with the key to make sure you’re not locking yourself out.
Change Port
The last step we’ll discuss, is if you should consider is changing the SSH port. The reason for this is because if you leave it on the default (which is port 22), then bots will try to brute force guess the SSH password. But if you change the port that you SSH in, you can then block and close off the SSH port when you do the firewall. (Although we’ll cover the firewall itself in a future article).
Go back to the SSH config file,
nano /etc/ssh/sshd_config
Change the port, it’s near the top commented out,
Port 22
Pick any port you like, but avoid ones used by other services (like 80 or 443). For this example I’ll do 222 just as a test.
Port 222
Restart SSH service to take effect,
sudo systemctl restart ssh
Now open a new terminal and try to SSH in with the -p flag, and whatever you picked for your new port number,
ssh -v userbro@your-ip -p 222
Congrats on your first step in your Linux security journey. In the future, we’ll cover firewalls, DNS, and domains. C ya then bro, and follow below for new content.
If you really want to learn and take your privacy to the next level, Access our VPN, and subscribe to our new content via: Podcast RSS, Session list, Nostr, Bastyon, Article RSS, or join the Signal Group
Related Posts
Linux n00bs 101: Critical Podcast
Switching to Linux is the single greatest thing you can do for your privacy and freedom.
[SP]
Nov 22, 2024
Be honest, you're using Big Tech because..
You think it's hard to switch. But you need to know this..
[SP]
Sep 7, 2024
4 Open Source Software/Apps for your Liberty & Pleasure!
Improve your life with these
[SP]
May 17, 2024
Ubuntu Bitcoin Snap Hack, yet CEO is still clueless
A scammer got a fake version of Exodus wallet in Canonical’s Ubuntu snap store.
[SP]
Feb 25, 2024