Skip to main content

Hardening SSH Security in Linux

SSH is a popular network protocol used to access remote computers through certain networks or the internet. OpenSSH is an application that provides SSH accessibility for a computer or server. A common method used to start a communication with SSH access is by providing a username and password before a secured connection is established. This method is not really safe because you provide credentials in plain text and transfer them through the network. It also makes it any scumbag individuals be easier to guess your password or perform a brute force attack in order to gain your server access. There are several possible ways that I think can be used for hardening your SSH security.
  1. Disable root access
  2. Change SSH port number
  3. Utilize RSA authentication
  4. Disable plain password login

Disable root access

1) Before you disable the root access, you need to make sure that there is another user account on your remote computer.

2) Create a new user as needed.
$ adduser youruser
3) Edit SSH configuration in /etc/ssh/sshd_config. Set new values for several following properties.
PermitRootLogin no
AllowUsers youruser
AllowUsers property is optional. It is used only for limiting access to certain users. You can add more users by separating it using space in the value.

4) Restart SSH service.
$ service sshd restart

Change SSH Port Number

You can change Port property other than 22.

Utilize RSA Authentication

1) Generate private and public keys in your local computer. I prefer to use PuTTYgen because it can generate not only an OpenSSH-compatible key but also a PuTTY-compatible key. PuTTY is a common application for remote access available for Windows. It needs a certain format of the private key with .PPK extension. PuTTYgen is included in PuTTY installation.

2) Open PuTTYgen. Set the number of bits in the generated key (2048, 4096, etc). Click "Generate".

3) After the process was completed, you can get 4 types of keys. First, in the big text box, it is an OpenSSH-compatible public key. Copy the content, paste it to a text editor (e.g. Notepad) and save it as Second, you possibly need to fill in the key passphrase. It adds more security to your private key. Click "Save public key" and save it as Third, click "Save private key" and save as id_rsa.ppk. It's PuTTY-compatible private key. Fourth, choose the "Conversion" menu then choose the "Export OpenSSH key". It will generate an OpenSSH-compatible private key and save it as id_rsa.

4) Now, back to the OpenSSH configuration in the remote server. Set new values for several following properties.
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
The last property means that the OpenSSH application will check any allowed public keys stored in the user authorized_keys file.

5) Copy your user OpenSSH-compatible public key content and append it to /home/[yur_user]/.ssh/authorized_keys. The .ssh directory should be owned by your user and set its mode to 0700 for security while the authorized_keys mode should be 0600.

6) Back to the local computer and open your PuTTY application. On the Session menu, insert your remote computer address with its user and port. Then, go to Auth menu, choose your PuTTY-compatible private key. Then, back to the Session menu and save your configuration.

Disable plain password login

Before you implement this configuration, you must make sure that the previous process is working. By setting PasswordAuthentication value to "no" will make your server can be accessed only by RSA authentication.

If you think this article is useful, you can share it. Or, if you have any suggestions or questions, please leave them in the comment below.


Popular posts from this blog

Setting Up Next.js Project With ESLint, Typescript, and AirBnB Configuration

If we initiate a Next.js project using the  create-next-app tool, our project will be included with ESLint configuration that we can apply using yarn run lint . By default, the tool installs eslint-config-next and extends next/core-web-vitals in the ESLint configuration. The Next.js configuration has been integrated with linting rules for React and several other libraries and tools. yarn create next-app --typescript For additional configuration such as AirBnB, it is also possible. First, we need to install the peer dependencies of eslint-config-airbnb . We also add support for Typescript using eslint-config-airbnb-typescript . yarn add --dev eslint-config-airbnb eslint-plugin-import eslint-plugin-jsx-a11y eslint-plugin-react eslint-plugin-react-hooks yarn add --dev eslint-config-airbnb-typescript @typescript-eslint/eslint-plugin @typescript-eslint/parser After that, we can update the .eslintrc.json file for the new configuration. { "extends": [ "airb

Rangkaian Sensor Infrared dengan Photo Dioda

Keunggulan photodioda dibandingkan LDR adalah photodioda lebih tidak rentan terhadap noise karena hanya menerima sinar infrared, sedangkan LDR menerima seluruh cahaya yang ada termasuk infrared. Rangkaian yang akan kita gunakan adalah seperti gambar di bawah ini. Pada saat intensitas Infrared yang diterima Photodiode besar maka tahanan Photodiode menjadi kecil, sedangkan jika intensitas Infrared yang diterima Photodiode kecil maka tahanan yang dimiliki photodiode besar. Jika  tahanan photodiode kecil  maka tegangan  V- akan kecil . Misal tahanan photodiode mengecil menjadi 10kOhm. Maka dengan teorema pembagi tegangan: V- = Rrx/(Rrx + R2) x Vcc V- = 10 / (10+10) x Vcc V- = (1/2) x 5 Volt V- = 2.5 Volt Sedangkan jika  tahanan photodiode besar  maka tegangan  V- akan besar  (mendekati nilai Vcc). Misal tahanan photodiode menjadi 150kOhm. Maka dengan teorema pembagi tegangan: V- = Rrx/(Rrx + R2) x Vcc V- = 150 / (150+10) x Vcc V- = (150/160) x 5

Kerusakan pada Motherboard

1. Sering terjadi hang memory tidak cocok --- ganti memory ada virus di harddisk --- scan harddisk over clock --- seting kembali clock prosesor ada bad sector di harddisk --- partisi harddisk dengan benar 2. Pembacaan data menjadi lambat memori tidak cukup --- tambah memori harddisk penuh atau ada virus --- kurangi isi harddisk, scan harddisk, atau ganti hardisk 3. CMOS failure baterai habis --- ganti baterai CMOS seting BIOS berubah --- seting kembali BIOS 4. Tidak bisa booting cache memory rusak --- disable eksternal cache memory di BIOS memori tidak cocok --- ganti memori boot sector pada harddisk rusak --- masukkan operating system baru ada bad sector pada trek awal harddisk --- partisi harddisk 5. Suara bip panjang berkali-kali memori rusak --- periksa kedudukan memori memori tidak cocok --- ganti memori memori tidak masuk slot dengan sempurna --- periksa kembali kedudukan memori 6. Suara bip bagus tetapi tidak ada tampilan / bip dua kali VGA card

Raspberry Pi Bluetooth Connection

Raspberry Pi 3 provides a built-in Bluetooth module. The latest Raspbian has been bundled with tools for enabling Bluetooth connection. The Bluetooth icon will be shown up on the top right corner of the desktop. It's a tool to discover available Bluetooth devices and connect Pi with Bluetooth devices. It is easy to connect any Bluetooth-enabled electronic device with Pi. But, sometimes Pi will fail to connect, especially for Bluetooth device that has no standardized services. From a terminal, we can use the  bluetoothctl tool to scan and connect with a Bluetooth device. You should make sure that the BlueZ protocol stack has been installed by running $ apt-get install bluez Run bluetoothctl to enter the tool command window Turn the power on by running power on (Optional) You can set AutoEnable=true in /etc/bluetooth/main.conf if you want to make the Bluetooth auto power-on after reboot. Run devices to see which devices have been paired Run scan on if your desired d

Pemrograman Paralel dengan CUDA

CUDA ( Compute Unified Device Architecture ) adalah suatu skema yang dibuat oleh NVIDIA agar NVIDIA selaku GPU ( Graphic Processing Unit ) mampu melakukan komputasi tidak hanya untuk pengolahan grafis namun juga untuk tujuan umum. Jadi, dengan CUDA, kita dapat memanfaatkan cukup banyak  processor  yang dimiliki oleh NVIDIA untuk berbagai perhitungan. GPU yang ada  saat ini seperti ATI pun sudah memiliki banyak processor di dalamnya. Pada ATI, skema yang mereka bangun disebut ATI Stream. Saat ini pemrograman paralel menjadi sangat penting karena kebutuhan kemampuan komputasi komputer yang terus meningkat seperti kemampuan multitasking  dan pengolahan grafis yang andal. Metode saat ini dalam peningkatan peforma komputer juga berbeda dengan masa lampau dimana peningkatan clock  dari processor  yang diutamakan. Peningkatan clock  juga dibatasi oleh kemampuan fisik dari perangkat digital yaitu persoalan daya dan panas. Pada 2005 berbagai industri komputer mulai menawakan komputer den

Itachi Uchiha

The Real Hero of Konoha