The main step to secure console login to your server are
- do not use any telnet server, use ssh
- do not use ssh with password
- tune the sshd to avoid root login and block login with password
1 – Remove password based ssh login
Login to your server via ssh using password is extremely insecure and even not very practical. We strongly suggest to move ssh login using public key. It is very easy to implement and it is supported by any device (Tablets, smartphones, etc).
How it works
You need to have 2 keys (2 small files) one called “private” key, the second called “public” key. What makes these 2 keys special is that a text message encrypted with the public key can only be decrypted with the private key. When you ask to login via an ssh client into a server having your public key, the server encrypts a random message with your public key and ask your client to decrypt it to prove it has the correct private key. In this way the ssh client demonstrates to have the private key without showing it, keeping it as secret as possible. Public key can only verify the private as corrected, for this reason can be freely distributed to any server you need to log in, while you need to keep safe your private key because it is the prove of your identity. You can add an extra security level to your private key, adding a password to use it, so even in case somebody stole your private key, he needs to know you password to use it. Key Password protection is not a very strong protection, because finding the password is just a matter of time and cpu power.
How to create public and private key
There are many tools depending on the operative system you use. To create the private/public key on windows you can use PuTTYgen, please refer to this document. While to create keys with Linux or Mac, please refer to this document.
How to setup your server
Here we will present how to setup a single server to allow login using public key. In case you have many servers located in the same environment we strongly suggest to introduce a centralized ldap to manage in a single location users and related keys (we will see it in a different post)
Create the user
Create .ssh folder
[myuser@myserver ~]$ mkdir .ssh
Create the key
and paste the text of your public key.
Fix the permission and ownership
[myuser@myserver ~]$chmod 640 .ssh/authorized_keys
verify it works: in your PC (linux mac) you need to
-v show you all the steps, so you can understand where is the problem in case.
Into the server you can check /var/log/secure understand any problem.
2 – Fix sshd configuration file
Once all the users in your server use the public key ssh login, you can remove the possibility to login using password, this to avoid any risk of security branches.
Edit sshd config file
and be sure of these 2 parameters
….
PasswordAuthentication no
save and restart sshd service
REMEMBER: when you do any change like this, use 2 consoles. With the 1st make your changes and with the second check if you are still able to login after the changes.
[…] remove password based ssh login: There is a dedicated post about Secure SSH Linux Login […]