Hardening your server
Published on: 4th Feb 2021
Updated on: 23th Sep 2022
Why
If your server is public facing (i.e., accessible through the public Internet), then, you will have to follow the checklist below. Basically, it disables all the old and weak features to prevent anyone from exploiting the vulnerabilities.
Here's how you do it
-
Run the test against your web server that has
sshdenabled. The result will recommend disabling the weak algorithms. -
Since our Ubuntu server is accessible from the Internet, we cannot avoid being attacked. There are a few ways to deal with this critical issue,
- Disable root account and avoid using any other common account such as "pi", "user", "guest", etc.
- Use a longer complex password.
- Change the SSH port.
- Using an SSH key.
-
Among all the above, the SSH key authentication is the safest way to secure your SSH but it's not impossible to crack. Please follow the steps below to enable the SSH key method.
-
In Windows, we are using the PuTTYGen program (that comes with the installation of PuTTY). To generate the SSH key and below is the output (the file name is for illustration purposes but the file extension should be the same).
-
my-local-linux.ppk- this file was generated with the PuTTYGen program ("save private key"). Best is to use "key passphrase" to encrypt the file and the passphrase is required upon accessing the remote server. -
my-local-linux.pub- this is the public key and the contents in this file to be copied to the remote server.
On linux, run the following command to generate the key:
ssh-keygen -t rsa -f ~/.ssh/my-local-linux -
-
Copy the SSH public key (from the PUB file created above) to remote server,
cd ~ sudo mkdir .ssh sudo nano .ssh/authorized_keys # paste the public key and save the file in one line "ssh-rsa {your_public_key}" with no more than once space between ssh-rsa and your key. # make sure the file is accessible with the user ID (replace "yourID" with the user ID). sudo chown -R yourID:yourID .ssh/authorized_keys-
17.Jan.2025: in case of "server refused our key" error,
Enter the public key in ~/.ssh/authorized_keys in one line (ssh-rsa {your_public_key} with no more than once space between ssh-rsa and your key).
chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys chown $USER:$USER ~/.ssh -R change /etc/ssh/sshd_config so it contains AuthorizedKeysFile %h/.ssh/authorized_keys sudo service ssh restart
-
-
Edit the
/etc/ssh/sshd_configfilesudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.1 sudo nano /etc/ssh/sshd_config -
In the config file, change the following settings.
# enable the public key authentication PubkeyAuthentication yes # disable the password auth method in the config file-only ssh key will be recognise PasswordAuthentication no18.Sep.2022: for more information about PasswordAuthentication, please refers to the following article,
NOTES: set this to YES if you allow the user from uploading/downloading files using FTP. Setting this value to NO will disable the FTP access.
-
Finally, restart the service
sudo systemctl restart sshd
-
-
4th Feb 2021 - I have experimented with changing the SSH port to a number other than 22 (i.e., the default port). As a result, no more attack attempts on SSH. In fact, it is better to have
fail2banto defend your server and also use an SSH key which makes it harder to break in.
FAQ
What if an user ID needs to have more than one key files
Updated on: 26.Apr.2025
-
In your computer, you need to generate 2 keys: one for accessing the home computer and another for accessing the work computer.
ssh-keygen -t rsa -f ~/.ssh/id_rsa.home ssh-keygen -t rsa -f ~/.ssh/id_rsa.work -
Next, add an entry to your
~/.ssh/configfile to pick the key to use based on the server you connect to:Host home Hostname home.example.com IdentityFile ~/.ssh/id_rsa.home User <your home acct> Port 12345 Host work Hostname 192.168.1.11 IdentityFile ~/.ssh/id_rsa.work User <your work acct> Port 43215Once you set this up, you may connect to your home computer like this:
ssh homeTo connect your work computer:
ssh workIn case the remote server still prompted the user password (i.e., it does not use the public key), you need to use
-vthat will show the connection steps on the screen. This allows you to troubleshoot the password prompting issue.ssh work -v -
Finally, append the contents of your
id_rsa.work.pubinto~/.ssh/authorized_keyson the work computer, and do the same for the home key on your home computer.In case the same user id has more than 1 key files (in remote server), you may append the key in a separate line.
For the full discussion, visit the following URL: https://serverfault.com/questions/221760/multiple-public-keys-for-one-user
https://linuxize.com/post/using-the-ssh-config-file/
References
-
For full hardening reference, please read the following page: https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-18-04
-
Using SSH key instead of password: https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-ubuntu-1804
-
Use SSH Keys with PuTTY on Windows: https://devops.ionos.com/tutorials/use-ssh-keys-with-putty-on-windows/#use-existing-public-and-private-keys
-
How To Set Up Multi-Factor Authentication for SSH on Ubuntu: https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04
-
Updated on 6th Sep 2023. Mitigating DDoS Attacks with NGINX and NGINX Plus: https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/
-
Updated on 6th Sep 2023. Preventing Linux DDoS Attacks with Minimal Cybersecurity Knowledge: https://linuxsecurity.com/features/preventing-linux-ddos-attacks
Related posts
Back to #UBUNTU blog
Back to #blog listing
Author
Lau Hon Wan, software developer.