Premium Shogun 4588 Posted February 15, 2014 Premium Share Posted February 15, 2014 Good morning, Today I will show you how to make your ssh safer easily while avoiding having to type your login and password every time you want to work on your server. Part 1. Logging in with a SSH Key For starters, we will create a new user for our metin2 server. pw useradd metin2 -m -g wheel Next, we will move our server files to /home/metin2 and give our new user ownership of the files cd /home chown -R metin2:wheel metin2/ Now we are going to create a ssh key. In short, this is a file you save to your PC and replaces your password for login. su metin2 ssh-keygen Press enter (leave defaults) and move to the .ssh folder that has been created cd metin2/.ssh mv id_rsa.pub authorized_keys cat id_rsa Copy the output of this last command (including the comments) with ctrl+C and save it into a text file. This is your private key; to convert it to a format that putty and Filezilla can understand, you can use puttygen. Download and open the tool and click on Load. Select "All files" on the File dialog and open the text file you saved previously, then click on "Save Private Key" to create the ppk file. Finally, we are going to try to login with our new key. Open putty and load your server's settings, then go to the Connection > Data tab and in autologin username enter metin2 (or whatever you called your server's user). Next open Connection > SSH > Auth and load your ppk file. Finally, return to Session and save your new settings, then Open to verify that you are able to login automatically with your new user and key, and use the su command to gain root privileges. Part 2: Securing SSH Once this is done, we can proceed to disable root login and password authentication in /etc/ssh/sshd_config, and restart the ssh server with service sshd restart. While you are editing the ssh config, it's also a good idea to change the ssh port to a different one, preferably an unused, high number port but don't forget to open this port in your firewall or you will lock yourself out! Part 3. Security good practices Once you do all of this, the only way to access your server is through the private ppk file. Therefore, make sure to backup it in a safe place such as USB stick or external drive! Always run your server startup script as the metin2 user. If you need root privileges, login with the metin2 user and then use su. In the event that someone gained shell access through some kind of backdoor or exploit, he won't have full access to the machine. 13 Link to comment Share on other sites More sharing options...
IceShiva 150 Posted February 18, 2014 Share Posted February 18, 2014 Very useful tutorial! But it's not enough to protect server against third party unprivileged persons. Good solution is hide all "external" service such as ssh/mysql/nfs server and client behind vpn , use good website scripts (many server been the pnwed by vulnerabilities in sites) strive to limitation host in mysql users and not privilege users even root to 'FILE' privilege' By 'FILE' privilege , vulnerability homepage script and badly chmoded directories as 'cache' 'images' you can use this as LFI/RFI vuln via load_file() and into outfile statement 1 Link to comment Share on other sites More sharing options...
M.Sorin 282 Posted May 6, 2014 Share Posted May 6, 2014 A little add : cd /home/metin2 chmod 750 .ssh then chmod 600 .ssh/authorized_keys chmod 600 .ssh/id_rsa If you don`t do this step the server will refuse your key and give you this error: SSH Authentication Refused: Bad Ownership or Modes for Directory Cheers Link to comment Share on other sites More sharing options...
Premium Shogun 4588 Posted May 6, 2014 Author Premium Share Posted May 6, 2014 A little add : cd /home/metin2 chmod 750 .ssh then chmod 600 .ssh/authorized_keys chmod 600 .ssh/id_rsa If you don`t do this step the server will refuse your key and give you this error: SSH Authentication Refused: Bad Ownership or Modes for Directory Cheers As far as I know, those permissions are already set by default, at least on FreeBSD 9 and 10 Link to comment Share on other sites More sharing options...
M.Sorin 282 Posted May 6, 2014 Share Posted May 6, 2014 I have FreeBSD 9.1-p12 and i have to set those permission for the key to work. Link to comment Share on other sites More sharing options...
Premium Shogun 4588 Posted May 7, 2014 Author Premium Share Posted May 7, 2014 Maybe you were making keys for another user with root? Link to comment Share on other sites More sharing options...
Recommended Posts