Securing an ssh Daemon with Asymmetric Encryption

02-06-2020

I noticed some faggot trying to attach to my systems through public ports open on my router last week (this article was written 02-06-2020). We hackers refer to wannabe crackers (who use publicly available scripts to do this sort of thing) as "script kiddies" (probably some nine year kid in Asia with a copy of a semi-sophisticated script-- who thinks he's gonna be a hacker someday). I tried switching my server's ssh port (which has been something other than standard port 22 for several years, now). And, I switched off all other public ports.

But-- the little shit just wouldn't give up. And when I switched back to my usual port this last weekend, I could see more ssh attempts in my messages log (/var/log/messages on a Slackware system). So-- I started using ssh keys on all the systems I have attached to public ports. And now, you gotta have a key if you wanna attach to my public systems. And (of course), I decided I'd write a short explanation of how I did this and share it with all my Witty News readers. :D

It was actually really easy to do. But-- the security this adds to a public system is priceless. The first step is to use ssh-keygen. This will create a pair of keys (one public and one private) for securing an ssh daemon. I ran the command on one of my clients. But, you can (of course) run this on a server and copy the files later.

ssh-keygen will prompt for a password to use to encrypt your private key. You can leave this blank. I encrypted mine. That way if some piece of shit manages to copy my private key, they'll need to crack its encryption before they can use it (this would take a single machine running a single script billions of years, I'm told). Meanwhile, I could replace the keys that were compromised. You don't (obviously) encrypt the public key. Anyone can see that. You'll still need a private key to pair with it if you want to attach to the system.

Once you have a private key, you'll need to copy it to any machines you wanna use to attach to your ssh server. So, you'll wanna copy ~/.ssh/id_rsa from the machine you used to create the key pair. You'll wanna copy the public key to your server (if you didn't use your server to create the key). The public key is written to ~/.ssh/authorized_keys. openssh provides a convenient command for doing this, too. ssh-copy-id user@domain can copy this for you. And like openssh's client, ssh-copy-id has a port option (-p).

After you have a public key on your server and private keys on your clients, you can forbid password authentication in your server's sshd configuration ("/etc/ssh/sshd_config" on Slackware systems). Then, restart your server's ssh daemon (". /etc/rc.d/rc.sshd restart" on Slackware). Simple as that! If you encrypted your private key, you will (obviously) be prompted for the cypher password when connecting to an ssh server that requires the key. If you chose not to encrypt this file, you can attach to a paired ssh server without even typing a password! But, I don't like the idea of using authentication with no password. So, I encrypted mine. Not sure who this script kiddie is who's trying to crack my ssh server. But, now-- he/she is in a world of shit.

Back

______________________________________________

Follow me on:

Facebook
Twitter

html revised 2020-07-08 by Michael Atkins.

The maintainer of insanelywittystupidity.com does not care if people duplicate this page or any part of it-- as long as this notice remains intact.