SSH and Security

HowTo Secure the VM from bad guys. Use SSH, HTTPS, Fail2ban, Let's Encrypt, NPM, reverse proxy and Let's Encrypt sertificates.

SSH and Security
Photo by Luis Villasmil / Unsplash

If you don't choose who can enter - some one else will do

Using SSH is very important and gives us secure communication. Enabling SSH on your VM is highly recommended, so that you can run a very compact headless server without a monitor or keyboard and be able to access it even more conveniently. I hart CLI

Still we need to lock the door - the ssh access on the VM

Create a key and send it to the VM and test it:

The quick one is ssh-keygen -t ed25519 . The key goes to ~/.ssh -directory.
If you want to remember what its for: ssh-keygen -t ed25519 -C "some comment of what it's for" .

Better security is to use a passphrase (not accepted by every serice), a complicated long one is better. For ease-off-use you can use the ssh-agent to remember it for you. ssh-keygen -t ed25519 -N new_long_passphrase -C "some comment of what it's for"

Give your host a proper name by sudo hostnamectl set-hostname vm100.example.org or stargate.example.com for NPM VM.

Copy your key to the new server ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected] now re-login by ssh. If it works you can now lock down the ssh.

Configure who can ssh into your ssh

You shod not run as root. The command is adduser user-id wich creates a new user and ask for a password. Then add user to sudo group for elevated privilidges.

Edit the VM's config: sudo nano /etc/ssh/sshd_config

PubkeyAuthentication yes

ChallengeResponseAuthentication no

UsePAM no

PasswordAuthentication no
PermitRootLogin no
AllowUsers user-id
Port 55555

Save and restart the demon sudo systemctl restart sshd

Use firewalls

Only open ports you need and to addresses you control. You need to open WEB (80 and 443) and DROP all others. My ssh ports are only open from inside my network.

Use a Reverse Proxy and HTTPS

The Reverse Proxy needs only port 443 open. You will need to have port 80 open for Let's Encrypt to be able to update certificates. You will direct traffic by CNAME to the right service. Minimum exposure from open ports.

Stop Brute Force Attacks

I have Fail2ban is standard in my scripts. You only need to set it up to read the logs with open ports, ssh is activated by default.

HTTPS encryption

Let's Encrypt - A nonprofit Certificate Authority providing TLS certificates to 260 million websites.

And remember to read the logs and follow whats going on in your VM's.
Cyber security image
Photo by FLY:D / Unsplash