Secure SSH Login on Ubuntu 14.04 VPS

When you set up a new Ubuntu server,  it is a good practice to change some of the SSH defaults to make your machine more secure. This tutorial will guide you through the process of adding a new user, giving that user root privilege, removing root login, and changing the default port for SSH access. I am assuming you are comfortable with basic shell commands, and some basic Linux system administration knowledge is also helpful. I am using a fresh install of Ubuntu 14.04. Your requirements and results may vary depending on your flavor and version of Linux.

1. Connect to your server via SSH and log in as root

2. Update the server OS

3. Add new user

Replace *user* with your username for the rest of this tutorial.

 

4. Add *user* to group sudo

5. Generate RSA key on your local machine (if needed)

Linux/OSX:

Once you have entered the Gen Key command, you will get a few more questions:

You can press enter here, saving the file to the user home

You can choose to use a passphrase, or leave it blank. If you leave it blank you won’t have to enter your password every time you use the key, but anyone who gains access to your key will be able to use it.

After the password prompt, your keys will be saved.

The public key is stored in /home/*user*/.ssh/id_rsa.pub

The private key is stored in /home/*user*/.ssh/id_rsa

Windows using Putty:

To generate a key with PuTTY, you should:

1. Download and start the puttygen.exe generator.

2. In the “Parameters” section choose SSH2 RSA and press Generate.

3. Move your mouse randomly in the small screen in order to generate the key pairs.

4. Enter a key comment to identify this key, if you wish.

5. You can choose to use a passphrase and fill in “Key passphrase” and “Confirm passphrase”, or leave them blank. If you leave them blank you won’t have to enter your password every time you use the key, but anyone who gains access to your key will be able to use it.

6. Click “Save private key” to save your private key.  This is the key you select in putty to connect to your server.

7. Click “Save public key” to save your public key.

6. Copy key to server (for every SSH client)

7. Add to sudoers

8. Change SSH port and remove root access

9. Change all ssh client configs

Change the port number and private key file in your ssh clients.

10. Log in with your newly secured SSH connection!

That’s basically it! There are a lot of other security considerations when setting up a new VPS, but this is a good first step for securing your Ubuntu server. If you have any suggestions or questions, post a comment and I will do my best to help!

Chris Bryant / August 2, 2015 / linux, programming, security, ubuntu

  • Greg Lawler

    Nice post, Chris, I didn’t know about the gpasswd command.
    We also use the AllowUsers setting in sshd_config to only allow specific usernames to log in.

    • Glad you found it useful, Greg! I do mention AllowUsers toward the end, but I cleaned it up a bit to make it easier to read.