SSH Keys

Lets start next with setting up SSH keys.

If you’re on windows you should be using Putty. Boot up Puttygen, ensure SSH-2 RSA is selected and click on ‘Generate’. Follow the instructions and enter a Key Passphrase and then save both Public & Private Keys. Put them somewhere safe, (not Dropbox etc) and ideally, back them up on cold storage, a flash drive somewhere safe. Don’t close puttygen yet.

Boot up regular putty and connect to your new server and once logged in,

nano ~/.ssh/authorized_keys

If this file/folder doesn’t exist yet, you can create it yourself

mkdir ~/.ssh
chmod 0700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 0644 ~/.ssh/authorized_keys

Then nano into it again. Go back to puttygen and right click on the box you waved your mouse over earlier with the random movements, select copy and paste it in (right click) the file we just opened in putty. Then close it out, ctrl + x, y.

Great, now we have our SSH keys created, now we need to configure the ssh service to allow key-based login and disallow password-enabled logins.

nano /etc/ssh/sshd_config

Change PasswordAuthentication yes to PasswordAuthentication no and UsePAM yes to UsePAM no. Then service sshd restart. Don’t logout of your current putty session yet as if you screwed anything up, you may get locked out. Open up a second Putty window, load the same server connection details but this time, click on the ‘SSH’ button on the left hand side, ‘Auth’ and in the ‘Private key file for authentication’ box, browse to your private key from earlier that you saved, then click ‘Session’ again on the left hand side and ‘Save’. Click ‘Open’ and enter the SSH passphrase if you created one, you should now be successfully logged in. You can close the first Putty window now as we’ve successfully setup SSH keys.

As for other security measures like changing SSH port and installing fail2ban, Quickbox will take care of this for us.