If you own a Linux box and use ssh to access it over the internet, chances that it will be under unauthorized login attempt or even brute-force attack. Even you have a strong password for your account, the constant poking from people or evil-bot is some kind of a nuisance to say the least.
Messages like below in /var/log/secure shows how annoying they can be:
Nov 25 23:13:21 —- sshd: input_userauth_request: invalid user test7
Nov 25 18:13:21 —- sshd: reverse mapping checking getaddrinfo for h63-210-66-233.seed.net.tw failed – POSSIBLE BREAKIN ATTEMPT!
Nov 25 23:13:30 —- sshd: input_userauth_request: invalid user test8
Nov 25 18:13:30 —- sshd: reverse mapping checking getaddrinfo for h63-210-66-233.seed.net.tw failed – POSSIBLE BREAKIN ATTEMPT!
To fully utilize the capability that ssh offers, we should always use public/private key access to a *nix box that is running OpenSSH. Below are some simple steps I used to implement this methodology.
Since I am using PuTTY, the setup and testing are done using putty.exe and puttygen.exe that are downloaded from here.
1. Create public and private key pair.
This can be accomplished using PuTTYgen. Once the program is started, click on the "Generate" button and keep moving your mouse. You can't be lazy here because the it will not proceed until you make your move.
2. save the public and private keys
Once the keys are generated, you need to create a key comment and your private passphrase. The passphrase is tied to your keys so without it your keys are useless. The public key is basically plain text that shows in the box. The private key is in binary form and should be stored with a .ppk extension.
3. place the public key
The public key needs to be stored in the Linux server as $HOME/.ssh/authorized_key2. Since it is plain text you can copy the key from the previous screen and paste them in a Linux editor and save it. An IMPORTANT step is to set the right permission on $HOME, $HOME/.ssh or $HOME/.ssh/authorized_keys so they aren't more permissive than sshd allows by default, which means they can only be read and write by the current account.
The following command can be used to achieve this: $ chmod go-w $HOME $HOME/.ssh $ chmod 600 $HOME/.ssh/authorized_keys
4. place the private key
In PuTTY, you will need to load the private key to your PuTTY session and save the session:
After this step, yu should be able to try the newly configured ssh access. You should be asked to enter the passphase this time, instead of the password. Once this is verified, you can proceed to next step.
5. turn off the password authentication on OpenSSH
In the /etc/ssh/sshd_config, there is an option called "PasswordAuthentication", just set it to "no".
Restart sshd and you should be running more secured ssh now.
Even you are running more securely after these measures, you still can't stop people from scanning port 22 and trying to get authenticated repeatedly using a list of user name and password. To reduce this kind of noise, you can also change the running port of sshd. The port configuration is the first parameter in the /etc/ssh/ssh_config file.