Securing SSH access using key-based authentication is an essential practice for enhancing the security of Linux servers. This method is more secure and convenient than password-based authentication. Here’s a step-by-step guide:
Step 1: Generate SSH Key Pair
On your local machine, open a terminal and generate an SSH key pair: bash
ssh-keygen -t rsa -b 4096
-t rsa: Specifies the type of key (RSA is commonly used).
-b 4096: Sets the key size to 4096 bits for increased security.
You will be prompted to:
Choose a file name for the key pair (default is ~/.ssh/id_rsa).
Set a passphrase for the private key (optional but recommended for added security).
Step 2: Copy the Public Key to the Server
You need to transfer the public key (id_rsa.pub) to the server.
Use the ssh-copy-id command to copy the public key to the remote server: bash
ssh-copy-id username@server_ip
Replace username with your server username.
Replace server_ip with the server’s IP address or hostname.
Alternatively, if ssh-copy-id is unavailable, you can manually copy the key:
– View the public key on your local machine: bash
cat ~/.ssh/id_rsa.pub
– Log in to the server using your current authentication method and append the public key to the ~/.ssh/authorized_keys file: bash
echo "your_public_key_contents" >> ~/.ssh/authorized_keys
– Ensure the permissions are set correctly: bash
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
Step 3: Disable Password-Based Authentication
Disabling password authentication ensures that only key-based authentication is allowed.
Edit the SSH configuration file on the server: bash
sudo nano /etc/ssh/sshd_config
Locate and modify the following lines: plaintext
PasswordAuthentication no
ChallengeResponseAuthentication no
Save the file and restart the SSH service: bash
sudo systemctl restart sshd
Step 4: Restrict SSH Access
For added security:
1. Restrict SSH to a specific user or group:
– Edit /etc/ssh/sshd_config and add: plaintext
AllowUsers username
Replace username with the allowed user(s).
– Alternatively, use AllowGroups to restrict access to a specific group.
Change the default SSH port:
Change the default SSH port (22) to a custom port: plaintext
Port 2222
Update your firewall and any monitoring tools to accommodate this change.
Enable Fail2Ban:
Install and configure fail2ban to block IPs after multiple failed login attempts: bash
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Disable root login:
Edit /etc/ssh/sshd_config and set: plaintext
PermitRootLogin no
Instead, use a regular user account and escalate privileges with sudo.
Step 5: Test the Configuration
Open a new terminal and attempt to log in using your SSH key: bash
ssh -i ~/.ssh/id_rsa username@server_ip
Verify that you can no longer log in using a password.
Implement intrusion detection systems (IDS) for real-time monitoring.
By following these steps, you can secure SSH access to your Linux servers effectively. Always keep your private key safe and consider implementing additional layers of security, such as firewalls or VPNs, for critical infrastructure.
How do I secure SSH access to Linux servers using key-based authentication?
