28-02-2022

Safe VPS with SSH key

So you have a brand new VPS, or an older one, and want to make it safer with SSH key based login? You are reading the right post.

Here is a referral link for Hetzner to claim your 20 eur, this will be more than enough for testing. Besides here is the link for Digital Ocean 100 USD coupon.

So now you can test VPS providers, create a server and come one!To login your VPS you will need SSH client (or terminal at least).

Please do a full update & upgrade

apt update && apt upgrade

Add a new user, because you don't want to use root. In this case I will add it as newUser

adduser newUser

Add the newly created user to the sudoers group, so you can use sudo command.

usermod -aG sudo newUser

Now login with the new user:

ssh newUser@xxx.yyy.zzz.ddd

Login with SSH key

Now we will create the SSH key. It's important, that you will do this step on your LOCAL machine. You can generate SSH key as email: "your@email.com" with the following command:

ssh-keygen -t rsa -b 4096 -C "your@email.com"

The next few seconds the command prompt will ask if the path & file name is ok for you ( it will be named as id_rsa if you don't write anything ). Besides it will ask you for password protection. I think it's very important to give the key password. It's suggested to put your keys in your user/.ssh folder and name it differently, so later you can know which key belongs to which server. Now you can copy it to your server:

ssh-copy-id -i /home/username/.ssh/generated_key.pub newUser@xxx.yyy.zzz.ddd

The system will ask for password. After everything went successfully, the window will display the following text:

Number of key(s) added: 1 

Now you can login with you key (with the key's password):

ssh newUser@xxx.yyy.zzz.ddd


Better protection for SSH

You will need to setup a few things in the ssh config file.

sudo nano /etc/ssh/sshd_config

We will do the following:

  • disable root login
  • change default ssh port 22
  • turn off password login

Important side note:

  • Only do this if you can login with your SSH key!
  • If you make any firewall rule, you have to open the desired port number!

Find and comment out (in case it is commented with # ):

  • Port 22: change it to something else. It is practical to place the desired port number between minimum 1000 and maximum 65535.
  • PermitRootLogin yes -> no 
  • PasswordAuthentication yes -> no
  •  PermitEmptyPasswords yes -> no

If you did the changes, Ctrl+O (or Cmd + O ) & Ctrl + X (or Cmd + X), then restart SSH service

sudo service ssh restart

Now after the restart ( and logout ).

ssh newUser@xxx.yyy.zzz.ddd -p desiredPortNumber

Just to save you time in the future, add these setup to your ssh config file. Edit ~/.ssh/config file, add the following block, but keep in mind, to change the values the ones you used during the setup.

Host fantasy.name.for.server.com 
Hostname xxx.yyy.zzz.ddd 
User newUser 
´╗┐Port desiredPortNumber 
´╗┐IdentityFile ~/.ssh/generated_ssh_key

With this addition, you can simply call the following command:

ssh fantasy.name.for.server.com

It will automatically add port number, ssh key, user, and ip address also.

Hope everything went well! Have a nice day!

© 2022 PappZ. All rights reserved.