Skip to main content

Hardening SSH Security in Linux

SSH is a popular network protocol used to access remote computer through certain network or internet. OpenSSH is an application which provides SSH accesbility for a computer or server. Common method used to start a communication with SSH access is by providing username and password before secured connection is established. This method is not really safe because you provide credentials in plain text and transfer it through the network. It also makes any scumbag individuals to be easier to guess your password or perform brute force attack in order to gain your server access. There are several possible ways that I think can be used for hardening your SSH security.
  1. Disable root access
  2. Change SSH port number
  3. Utilize RSA authentication
  4. Disable plain password login

Disable root access

1) Before you disable the root access, you need to make sure that there are another user account in your remote computer.

2) Create new user as needed.
$ adduser youruser
3) Edit SSH configuration in /etc/ssh/sshd_config. Set new value for several following properties.
PermitRootLogin no
AllowUsers youruser
AllowUsers property is optional. It is used only for limiting access to certain users. You can add more users by separating it using space in the value.

4) Restart SSH service.
$ service sshd restart

Change SSH Port Number

You can change Port property other than 22.

Utilize RSA Authentication

1) Generate private and public key in your local computer. I prefer to use PuTTYgen because it can generate not only OpenSSH-compatible key but also PuTTY-compatible key. PuTTY is a common application for remote access available for Windows. It needs certain format of private key with .PPK extension. PuTTYgen is included in PuTTY installation.

2) Open PuTTYgen. Set number of bits in generated key (2048, 4096, etc). Click "Generate".

3) After process was completed, you can get 4 types of key. First, in the big text box, it is OpenSSH-compatible public key. Copy the content, paste it to text editor (e.g. Notepad) and save it as Second, you possibly need to fill the key passphrase. It adds more security to your private key. Click "Save public key" and save it as Third, click "Save private key" and save as id_rsa.ppk. It's PuTTY-compatible private key. Fourth, choose "Conversion" menu then choose "Export OpenSSH key". It will generate OpenSSH-compatible private key and save it as id_rsa.

4) Now, back to OpenSSH configuration in remote server. Set new value for several following properties.
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
The last property means that OpenSSH application will check any allowed public keys stored in the user authorized_keys file.

5) Copy your user OpenSSH-compatible public key content and append it to /home/[yur_user]/.ssh/authorized_keys. The .ssh directory should be owned by your user and set its mode to 0700 for security while the authorized_keys mode should be 0600.

6) Back to local computer and open your PuTTY application. On Session menu, insert your remote computer address with its user and port. Then, go to Auth menu, choose your PuTTY-compatible private key. Then, back to Session menu and save your configuration.

Disable plain password login

Before you implement this configuration, you must make sure that previous process is working. By setting PasswordAuthentication value to "no" will make your server can be accessed only by RSA authentication.

If you think this article is usefull, you can share it. Or, if you have any suggestion or question, please leave it on comment below.


Popular posts from this blog

Rangkaian Sensor Infrared dengan Photo Dioda

Keunggulan photodioda dibandingkan LDR adalah photodioda lebih tidak rentan terhadap noise karena hanya menerima sinar infrared, sedangkan LDR menerima seluruh cahaya yang ada termasuk infrared. Rangkaian yang akan kita gunakan adalah seperti gambar di bawah ini. Pada saat intensitas Infrared yang diterima Photodiode besar maka tahanan Photodiode menjadi kecil, sedangkan jika intensitas Infrared yang diterima Photodiode kecil maka tahanan yang dimiliki photodiode besar. Jika  tahanan photodiode kecil  maka tegangan  V- akan kecil . Misal tahanan photodiode mengecil menjadi 10kOhm. Maka dengan teorema pembagi tegangan: V- = Rrx/(Rrx + R2) x Vcc V- = 10 / (10+10) x Vcc V- = (1/2) x 5 Volt V- = 2.5 Volt Sedangkan jika  tahanan photodiode besar  maka tegangan  V- akan besar  (mendekati nilai Vcc). Misal tahanan photodiode menjadi 150kOhm. Maka dengan teorema pembagi tegangan: V- = Rrx/(Rrx + R2) x Vcc V- = 150 / (150+10) x Vcc V- = (150/160) x 5

Kerusakan pada Motherboard

1. Sering terjadi hang memory tidak cocok --- ganti memory ada virus di harddisk --- scan harddisk over clock --- seting kembali clock prosesor ada bad sector di harddisk --- partisi harddisk dengan benar 2. Pembacaan data menjadi lambat memori tidak cukup --- tambah memori harddisk penuh atau ada virus --- kurangi isi harddisk, scan harddisk, atau ganti hardisk 3. CMOS failure baterai habis --- ganti baterai CMOS seting BIOS berubah --- seting kembali BIOS 4. Tidak bisa booting cache memory rusak --- disable eksternal cache memory di BIOS memori tidak cocok --- ganti memori boot sector pada harddisk rusak --- masukkan operating system baru ada bad sector pada trek awal harddisk --- partisi harddisk 5. Suara bip panjang berkali-kali memori rusak --- periksa kedudukan memori memori tidak cocok --- ganti memori memori tidak masuk slot dengan sempurna --- periksa kembali kedudukan memori 6. Suara bip bagus tetapi tidak ada tampilan / bip dua kali VGA card

Raspberry Pi Bluetooth Connection

Raspberry Pi 3 provides a built-in Bluetooth module. The latest Raspbian has been bundled with tools for enabling Bluetooth connection. The Bluetooth icon will be shown up on the top right corner of the desktop. It's a tool to discover available Bluetooth devices and connect Pi with Bluetooth devices. It is easy to connect any Bluetooth-enabled electronic device with Pi. But, sometimes Pi will fail to connect, especially for Bluetooth device that has no standardized services. From a terminal, we can use the  bluetoothctl tool to scan and connect with a Bluetooth device. You should make sure that the BlueZ protocol stack has been installed by running $ apt-get install bluez Run bluetoothctl to enter the tool command window Turn the power on by running power on (Optional) You can set AutoEnable=true in /etc/bluetooth/main.conf if you want to make the Bluetooth auto power-on after reboot. Run devices to see which devices have been paired Run scan on if your desired d

How To Use Git in Netbeans

Git is a popular version control application nowadays. Recently I have created a note about its differences with SVN and how to use it in Eclipse . There are many Git client tools. But I just want to show how to use Netbeans built-in Git tools. It makes the development process easier because it has been integrated with the IDE. Create Remote Git Repository We need a remote Git repository so everyone can store or receive any revision or updated files through the networks. We can set up our own Git server or use a public Git server like Github . In this note, I use Github. 1. Create an account in Github and create an empty Git repository Create an empty public repository in Github 2. Get the remote repository link Your Github Repository URL Create a New Project in Netbeans and Create Local Git Repository After we have a remote Git repository, we can create a project stored in the remote repository. We also need to create a local repository before we can push

I Love Books

I like reading books since I was a kid. Thanks to my parents that let me bought any books and embraced me to read. Bookstore becomes one of my favorite places. I like to learn any topics, not only about science or IT stuffs. For me, reading a book isn't always intended to have possession in the topic, but it's for my personal pleasure and building an insight of something. some of them There're many things around us that we don't understand really well. If we try to figure it out by ourselves, we will waste most of our precious time. So, it's better to learn from the expert who has studied it well and then considering it with our common sense and logic. I grow up, many affairs had occurred, and shit happens. I realize that I have forgotten a lot of things. I likely tend to be aware of fewer things. So let me open a cupboard full of books which I've collected since a long time ago.