Jump to content

Basic SSH Security

Recommended Posts

  • Premium

Good morning,


Today I will show you how to make your ssh safer easily while avoiding having to type your login and password every time you want to work on your server.


Part 1. Logging in with a SSH Key


For starters, we will create a new user for our metin2 server.

pw useradd metin2 -m -g wheel

Next, we will move our server files to /home/metin2 and give our new user ownership of the files

cd /home
chown -R metin2:wheel metin2/

Now we are going to create a ssh key. In short, this is a file you save to your PC and replaces your password for login.

su metin2

Press enter (leave defaults) and move to the .ssh folder that has been created

cd metin2/.ssh
mv id_rsa.pub authorized_keys
cat id_rsa

Copy the output of this last command (including the comments) with ctrl+C and save it into a text file. This is your private key; to convert it to a format that putty and Filezilla can understand, you can use puttygen.


Download and open the tool and click on Load. Select "All files" on the File dialog and open the text file you saved previously, then click on "Save Private Key" to create the ppk file.


Finally, we are going to try to login with our new key. Open putty and load your server's settings, then go to the Connection > Data tab and in autologin username enter metin2 (or whatever you called your server's user). Next open Connection > SSH > Auth and load your ppk file.


Finally, return to Session and save your new settings, then Open to verify that you are able to login automatically with your new user and key, and use the su command to gain root privileges.


Part 2: Securing SSH


Once this is done, we can proceed to disable root login and password authentication in /etc/ssh/sshd_config, and restart the ssh server with service sshd restart. While you are editing the ssh config, it's also a good idea to change the ssh port to a different one, preferably an unused, high number port but don't forget to open this port in your firewall or you will lock yourself out!



Part 3. Security good practices


Once you do all of this, the only way to access your server is through the private ppk file. Therefore, make sure to backup it in a safe place such as USB stick or external drive!


Always run your server startup script as the metin2 user.


If you need root privileges, login with the metin2 user and then use su. In the event that someone gained shell access through some kind of backdoor or exploit, he won't have full access to the machine.

  • Love 13
Link to comment
Share on other sites

Very useful tutorial! But it's not enough to protect server against third party unprivileged persons. Good solution is hide all "external" service such as ssh/mysql/nfs server and client behind vpn , use good website scripts (many server been the pnwed by vulnerabilities in sites) strive to limitation host in mysql users and not privilege users even root to 'FILE' privilege'

By 'FILE' privilege , vulnerability homepage script and badly chmoded directories as 'cache' 'images'  you can use this as LFI/RFI vuln via load_file() and into outfile statement

  • Love 1
Link to comment
Share on other sites

  • 2 months later...
  • Premium

A little add :

cd /home/metin2
chmod 750 .ssh


chmod 600 .ssh/authorized_keys
chmod 600 .ssh/id_rsa

If you don`t do this step the server will refuse your key and give you this error:

SSH Authentication Refused: Bad Ownership or Modes for Directory

Cheers :P


As far as I know, those permissions are already set by default, at least on FreeBSD 9 and 10

Link to comment
Share on other sites


  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.