Securing SSH: Just because it has secure in the name doesn't mean that it's secure out of the box

My server had an unauthorized login attempt today. Really, it was more along the lines of 2,000 login attempts. Why is my server under attack? Simply because it is on the internet. See, this is actually a normal day for a small server. Last week, there were just over 12,000 attempts.

So, business as usual for a server looks something like walking through a zombie filled wasteland armed only with a cowbell and a belt made of bacon. Not exactly comforting. Thankfully, we can greatly increase our level of security with just a few lines of configuration.

The Game Plan

Though it won’t thwart every attack, we can greatly increase our security by changing the way that we authenticate against our server. Out of the box, the easiest way to connect to an SSH server is using our username and password. Unfortunately, since passwords tend to be easy to programmatically guess, it also happens to be the lowest security method. Not exactly a great combination.

Thankfully, this isn’t the only way to authenticate. Instead of passwords, we’re going to use a preshared key.

Preshared Key?

Our authentication scheme consist of two files: a public and a private key. True to their names, our public key can be shared with any party without compromising our authentication scheme. The private key, however, is a bit more… private. 1

When connecting to our remote server, our local machine will employ our private key in order to create a complex digital signature. After passing the signature to the server, the server will be able to use our public key to verify that the signature was created by us. As an extra bonus, not only is this more secure, but it no longer requires an interactive password prompt.

To start, we’ll need to generate a new key pair.

ssh-keygen

After this, you should have two new files: ~/.ssh/id_rsa (private key), and ~/.ssh/id_rsa.pub (public key). The next thing we need to do is to associate our public key with our account on the remote server.

ssh-copy-id jrogers@dbprd1.example.com

At this point, you should be able to login without using a password.

ssh jrogers@dbprd1.example.com

Assuming you weren’t prompted for a password, we can assume our key was setup properly. With that complete, the last step is to disable password authentication entirely.

vim /etc/ssh/sshd_config

With vim open, find the PasswordAuthentication directive and set it to ‘no’.

PasswordAuthentication no

Finally, restart sshd and prepare to sleep a little more soundly.

service sshd restart

Footnotes


  1. Should you be curious about the details, you can find more about Public Key cryptography on Wikipedia. As a warning, be prepared to stomach countless hypothetical conversations between Alice and Bob↩︎