Secure SSH Login on Ubuntu 14.04 VPS
When you set up a new Ubuntu server, it is a good practice to change some of the SSH defaults to make your machine more secure. This tutorial will guide you through the process of adding a new user, giving that user root privilege, removing root login, and changing the default port for SSH access. I am assuming you are comfortable with basic shell commands, and some basic Linux system administration knowledge is also helpful. I am using a fresh install of Ubuntu 14.04. Your requirements and results may vary depending on your flavor and version of Linux.
1. Connect to your server via SSH and log in as root
2. Update the server OS
1 2 3 |
apt-get update apt-get upgrade |
3. Add new user
Replace *user* with your username for the rest of this tutorial.
1 |
adduser *user* |
4. Add *user* to group sudo
1 |
gpasswd -a *user* sudo |
5. Generate RSA key on your local machine (if needed)
Linux/OSX:
1 2 3 |
su -*user* # switch to new user account ssh-keygen -t rsa |
Once you have entered the Gen Key command, you will get a few more questions:
1 |
Enter file in which to save the key (/home/*user*/.ssh/id_rsa): |
You can press enter here, saving the file to the user home
1 |
Enter passphrase (empty for no passphrase): |
You can choose to use a passphrase, or leave it blank. If you leave it blank you won’t have to enter your password every time you use the key, but anyone who gains access to your key will be able to use it.
After the password prompt, your keys will be saved.
The public key is stored in /home/*user*/.ssh/id_rsa.pub
The private key is stored in /home/*user*/.ssh/id_rsa
Windows using Putty:
To generate a key with PuTTY, you should:
1. Download and start the puttygen.exe generator.
2. In the “Parameters” section choose SSH2 RSA and press Generate.
3. Move your mouse randomly in the small screen in order to generate the key pairs.
4. Enter a key comment to identify this key, if you wish.
5. You can choose to use a passphrase and fill in “Key passphrase” and “Confirm passphrase”, or leave them blank. If you leave them blank you won’t have to enter your password every time you use the key, but anyone who gains access to your key will be able to use it.
6. Click “Save private key” to save your private key. This is the key you select in putty to connect to your server.
7. Click “Save public key” to save your public key.
6. Copy key to server (for every SSH client)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
su -*user* # switch to account if you are root mkdir .ssh chmod 700 .ssh sudo apt-get install nano # if you need to install it sudo nano .ssh/authorized_keys # paste RSA key # should start with "ssh-rsa AAAA..." # alternatively, if you have ssh-copy-id installed you can use: ssh-copy-id *user*@server.ip.address # using PuTTy on Windows: load private key in PuTTygen, copy public key from # top window, paste into authorized_keys sudo chmod 644 .ssh/authorized_keys |
7. Add to sudoers
1 2 3 |
sudo visudo *user* ALL=(ALL:ALL) ALL # add this under # User privilege specification |
8. Change SSH port and remove root access
1 2 3 4 5 6 7 8 9 10 11 12 |
sudo nano /etc/ssh/sshd_config # open ssh config file to edit following values: Port 22222 # change 22 to a port between 1025 and 65536 PermitRootLogin no # under Authentication, change 'yes' to 'no' UseDNS no # add these two lines to the bottom of the file AllowUsers *user* # save and exit sudo service ssh restart # restart the ssh service |
9. Change all ssh client configs
Change the port number and private key file in your ssh clients.
10. Log in with your newly secured SSH connection!
That’s basically it! There are a lot of other security considerations when setting up a new VPS, but this is a good first step for securing your Ubuntu server. If you have any suggestions or questions, post a comment and I will do my best to help!