Server


Contents

SSH

SSH keys provide **a more secure way** of logging into a virtual private server with SSH than using a password alone. While a password can eventually be cracked with a brute force attack, SSH keys are nearly impossible to decipher by brute force alone. Generating a key pair provides you with two long string of characters: a public and a private key. You can place the public key on any server, and then unlock it by connecting to it with a client that already has the private key. When the two match up, the system unlocks without the need for a password. You can increase security even more by protecting the private key with a passphrase.


Making changes in ssh

Remember to:

**sudo /etc/init.d/ssh restart**

Tip: I can check all available services in /etc/init.d

Attention: if theres problems, grep to see if it actually stops the service Like this: **sudo /etc/init.d/ssh stop**

       ps aux | grep ssh

**sudo /etc/init.d/ssh start**

       ps aux | grep ssh
Debug

with -v flag. max 3 "v"s ssh user@server -vvv


Create RSA Key Pair

You create your rsa key pair in the computer you want to log to the server. I can use this key pair for several servers, but if I want to enter a same server from different computers, I create different rsa key pairs. Lo voy a crear a nivel local (en mi compu) y esa va a ser la llave rsa ssh que voy a usar para entrar en mis vps. NO genero una para cada vps sino que esa misma me sirve para todas. Si voy a usar varios ordenadores para entrar en un vps, sí necesitaré crear una llave ssh por máquina desde la cual estoy accediendo.

So each admin in a server is going to have at least one rsa key pair.

Be careful to pay attention from which user you create this in your local machine (computer). Since the rsa key pairs are saved in a hidden directory in my user home directory (~/.ssh), if Im trying to login from a different user, it will confuse home directories since each user has a different home directory.

So, from the user in my localmachine that I wish to use to access the server, I will create my rsa key pair:

$ **ssh-keygen**

By default it will generate two keys in ~/.ssh, a public key and a private key. We are going to copy our private key to the server. If we dont have access to this server, we will send it to the admin so that she can do it.

When generating the key, you will need to introduce a **"passphrase".**

Copy public key to the server

After generating an SSH key pair, you will want to copy your public key to your new server.

Assuming you generated an SSH key pair using the previous step, use the following command at the terminal of your local machine to print your public key (id_rsa.pub):

**cat ~/.ssh/id_rsa.pub**

This should print your public SSH key, which should look something like the following:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBGTO0tsVejssuaYR5R3Y/i73SppJAhme1dH7W2c47d4gOqB4izP0+fRLfvbz/tnXFz4iOP/H6eCV05hqUhF+KYRxt9Y8tVMrpDZR2l75o6+xSbUOMu6xN+uVF0T9XzKcxmzTmnV7Na5up3QM3DoSRYX/EP3utr2+zAqpJIfKPLdA74w7g56oYWI9blpnpzxkEd3edVJOivUkpZ4JoenWManvIaSdMTJXMy3MtlQhva+j9CgguyVbUkdzK9KKEuah+pFZvaugtebsU+bllPTB0nlXGIJk98Ie9ZtxuY3nCKneB+KjKiXrAvXUPCI9mWkYS/1rggpFmu3HbXBnWSUdf localuser@machine.local

Select the public key, and copy it to your clipboard.

To enable the use of SSH key to authenticate as the new remote user, you must add the public key to a special file in the user's home directory of the directory. Assuming that we are going to create superuser accounts for each new admin we will do the following:

creating super user accounts

Changing to root user su root

we create superuser (note: it will ask me to introduce a passwd) adduser superusername

then we will add the superuser to sudoers: gpasswd -a superusername sudo

we now change to superuser: su superuser


When we change user, we will be by default in the user's home directory (~). You can do "cd ~" just in case.


creating .ssh directory and authorized_keys document in the superuser home directory

As the superuser to whom we want to give ssh access to the server, create a new directory called .ssh and restrict its permissions with the following commands:

**mkdir .ssh** **chmod 700 .ssh**

       chown superuser:group

Now open a file in .ssh called authorized_keys with a text editor. We will use nano to edit the file:

**nano .ssh/authorized_keys**

Now copy-paste the public key (which should be in your clipboard) by pasting it into the editor.

Save and close.

Now restrict the permissions of the authorized_keys file with this command:

**chmod 600 .ssh/authorized_keys**

       chown superuser:group

Type this command once to return to the root user:

exit

Now you may SSH login as your new user, using the private key as authentication.


SSH Reverse DNS Lookup Disable

The invalid logins are normal, since there are bots that try to bruteforce servers.

As for the "possible break-in attempt" message, The system is trying to do a reverse DNS lookup to match the connecting IP with the hostname that is trying to connect and fails to do so.

The setting that controls that is "UseDNS" in /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

y agrega la línea:

UseDNS no


sudo /etc/init.d/ssh restart


Force ssh login to server

**sudo nano /etc/ssh/sshd_config**

and change:

ChallengeResponseAuthentication no PasswordAuthentication no UsePAM yes


sudo /etc/init.d/ssh restart


Change ssh port access

sudo nano /etc/ssh/sshd_config

The first option that you may want to change is the port that SSH runs on. Find the line that looks like this:

Port 22

If we change this number to something in **between 1025 and 65536**, the SSH service on our server will look for connections on a different port. This is sometimes helpful because unauthorized users sometimes try to break into servers by attacking SSH. If you change the location, they will need to complete the extra step of sniffing it out.

If you change this value, you will need to keep in mind that your server is running on the new port.


    • service ssh restart**

So now you would have to access to the server like this:

ssh superuser@server -p portnumber


References

http://ubuntuforums.org/showthread.php?t=1773227

http://bodhizazen.net/Tutorials/SSH_security