it’s not ideal at all to have a ssh service open to the internet.
this opens a bridge for attackers to access sensitive information on our server.
making user
you should NEVER use root as a user long term, so it’s recommended that we first make a user account with root privileges
adduser [user]
usermod -aG sudo [user]
ssh keys
we then want to create a public and private ssh key if you’re on linux or macOS, open the terminal and the command is
ssh-keygen -t [type] -f ~/.ssh/your-key-filename
it’s recommended to use ‘ED25519’ as a type at the time of this post, also set a passphrase because if someone gains access to your private key or device, it’s game over.
then we want to upload the PUBLIC KEY to the server which ends in ‘.pub’ to the user we JUST created!
ssh-copy-id -i ~/.ssh/your-key-filename.pub [user]@host
see more information on ‘ssh-copy-id’ here
sshd config
first we want to look at our ssh configuration file to change some critical things that leaves holes in our server.
use vim or nano to open /etc/ssh/sshd_config
now, some say changing the port is ideal but it does not really matter as port scanners can find this anyways.
PasswordAuthentication no
UsePAM no
now that we have a private key, we no longer need to enter a password to login which is not recommended anyways.
PermitRootLogin no
we do not want to allow the root user to be able to be logged in with ssh anymore.
save and exit from that file.
now let’s reload the ssh service, NOT exit your current ssh session.
systemctl reload ssh
user ssh config
on macos or linux, let’s open .ssh/config and add the following
Host [name]
HostName host
User [user]IdentityFile ~/.ssh/your-key-filename
then open another terminal, remember do NOT exit your current one
ssh [name] if all works you should be prompted to enter your SSH passphrase you have set.
ufw
we want to get a firewall for our server to block any and all UNWANTED connections and only whitelist the ones that you ALLOW.
sudo apt-get install ufw
sudo ufw enable
openvpn
we do not want anyone on the internet to access port 22 on our server, so let’s install openvpn!
wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
- make sure you check out the installation script before running it.
after, you enter you’ll be prompted for some options, we recommend:
ipv4: [the hosts]
protocol: udp
port: 443
dns: 1.1.1.1
client name: example
save the file that was outputted after installing openvpn: example.ovpn then save it on your computer.
we recommend that you disable vpn logs
open /etc/openvpn/openvpn/server.conf with vim or nano
verb: 0
then save and quit
accessing the server
now, you want to install openvpn client or if you’re on linux
network-manager-openvpn-gnome or network-manager-openvpn depending on your desktop environment!
now we want to make sure our host, is the INTERNAL IP not the EXTERNAL IP of the machine. you can find the internal IP by doing
hostname -I
then you should be able to access your server via SSH and it not being accessible to the internet