{"id":537,"date":"2016-06-18T10:00:17","date_gmt":"2016-06-18T14:00:17","guid":{"rendered":"http:\/\/easy-admin.ca\/?p=537"},"modified":"2017-08-21T10:00:26","modified_gmt":"2017-08-21T14:00:26","slug":"configure-ssh-for-high-security-rsa-4096-bits","status":"publish","type":"post","link":"https:\/\/easy-admin.ca\/index.php\/2016\/06\/18\/configure-ssh-for-high-security-rsa-4096-bits\/","title":{"rendered":"Configure SSH for high security RSA-4096 Bits"},"content":{"rendered":"<p>There are some steps to do after SSH is installed on a system and there is a old saying that says \u201cA <em>chain is only as strong<\/em> as its <em>weakest link<\/em>\u201d and if you are using a weak password for your root account (or any other account) then you are extremely vulnerable. It does not matter if the communication is secure when you are easily brute forced. All steps is used on a Ubuntu 11.10 but should be the same on OpenBSD, Debian, Linux Mint or any other Linux distribution with none or very few modifications.<\/p>\n<p><strong>We are going to do the following steps<\/strong><\/p>\n<ul>\n<li>Create certificate<\/li>\n<li>Set correct credentials to .ssh folder and files<\/li>\n<li>Shut down the possibility to log in with password<\/li>\n<li>Prevent root to log in via SSH<\/li>\n<li>Remove less secure encryption methods<\/li>\n<li>Enable visual identification of the server fingerprint<\/li>\n<li>Optional: Change SSH port (does really not not increase security)<\/li>\n<\/ul>\n<p><strong>Create certificate<\/strong><br \/>\nWe are going to use a RSA-key with a key length of 4096 bits. Open a terminal and enter the following \u201c\u2018ssh-keygen -t rsa -b 4096\u201d.\u00a0 1024 bits key should be enough but better to be safe than sorry.<\/p>\n<p><strong>Generating public\/private rsa key pair<\/strong><br \/>\nssh-keygen -t rsa -b 4096<\/p>\n<p>Then you will be asked where to store the key. If you already got keys in id_dsa then you should enter another file name or your existing keys will be overwritten. If you are satisfied with the suggestion simply press enter.<\/p>\n<p>Enter file in which to save the key <strong>(\/home\/accountname\/.ssh\/id_rsa)<\/strong><\/p>\n<p>It\u2019s now time to enter a password. Use a strong password with big and small letters, numbers and symbols. The password should also be unique and stored on a secure place like in a encrypted container.<\/p>\n<p>Enter passphrase (<strong>empty for no passphrase<\/strong>): 2sWf3+@\/\u2019?B&gt;.%DpBU\u201dr<br \/>\nEnter same passphrase again: 2sWf3+@\/\u2019?B&gt;.%DpBU\u201dr<\/p>\n<p>Your identification has been saved in \/home\/accountname\/.ssh\/id_rsa.<br \/>\nYour public key has been saved in \/home\/accountname\/.ssh\/id_rsa.pub.<\/p>\n<p>The key fingerprint is:<br \/>\n31:b0:be:0b:5b:7c:f1:79:65:e4:72:42:18:08:c4:8d<br \/>\nThe key\u2019s randomart image is:<\/p>\n<p>+\u2013[ RSA 4096]\u2014-+<br \/>\n|\u00a0\u00a0\u00a0\u00a0 o++ ..o.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |<br \/>\n|\u00a0\u00a0\u00a0\u00a0\u00a0 Eoo ..\u00a0\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 |<br \/>\n|\u00a0\u00a0\u00a0\u00a0\u00a0 . o\u00a0\u00a0 . .\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |<br \/>\n|\u00a0\u00a0\u00a0\u00a0 .\u00a0\u00a0 o o +\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |<br \/>\n|\u00a0\u00a0\u00a0\u00a0\u00a0 . S\u00a0\u00a0 +\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 |<br \/>\n|\u00a0\u00a0\u00a0\u00a0 . o o o\u00a0\u00a0\u00a0 \u00a0 \u00a0 \u00a0 |<br \/>\n|\u00a0\u00a0\u00a0 . +\u00a0o .\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |<br \/>\n|\u00a0\u00a0\u00a0\u00a0 + o .\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 \u00a0 \u00a0\u00a0 |<br \/>\n|\u00a0\u00a0\u00a0 . .\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |<br \/>\n+\u2014\u2014\u2014\u2014\u2014\u2013+<\/p>\n<p><strong>Enable the public key for authentication<\/strong><br \/>\nThe public key should be stored in ~\/.ssh\/authorized_keys and there can be more then one key for a single user. Just make a new row for each public key. If you key should be installed on the same system from where you just created the private key simply copy id_rsa.pub to\u00a0authorized_keys<\/p>\n<p># ~$ cd ~\/.ssh<br \/>\n# ~\/.ssh$ cp id_rsa.pub authorized_keys<\/p>\n<p>Set correct credentials to .ssh folder and files<\/p>\n<p>Make sure that your working folder is your home folder, replace \u201cjohn\u201d with your username.<\/p>\n<p># ~\/.ssh$ <strong>cd ~<\/strong><br \/>\n# ~\/.ssh$ <strong>sudo chown -R john:john .ssh<br \/>\n# ~\/.ssh$ <strong>sudo chmod -R 600 .ssh<\/strong><br \/>\n# ~\/.ssh$ <strong>sudo chmod +x .ssh<\/strong><\/strong><\/p>\n<p>Do a test log in to test the public key<\/p>\n<p># ~\/.ssh$ <strong>ssh john@localhost<br \/>\n<\/strong>Enter passphrase for key \u2018\/home\/john\/.ssh\/id_rsa\u2019:<strong><br \/>\n<\/strong><\/p>\n<p>After you entered the private key password you should have access to your machine, if not you will have to look for errors in the logs but I will not cover this in this guide.<strong><br \/>\n<\/strong><\/p>\n<p><strong>Configure sshd<\/strong><br \/>\nThe next step is to modify sshd. All settings we will change is in the file \/etc\/ssh\/sshd_config. Start to make a backup of sshd_config just in case.<\/p>\n<p># john@john-laptop:\/$ sudo cp \/etc\/ssh\/sshd_config \/etc\/ssh\/sshd_config_backup<\/p>\n<p>Use desired editor to edit sshd_config. I prefer vi but I will use nano in this example<\/p>\n<p># john@john-laptop:\/$ sudo nano \/etc\/ssh\/sshd_config<\/p>\n<p><strong>The following lines is going to be added or altered:<\/strong><\/p>\n<p>PermitRootLogin yes<br \/>\n#PasswordAuthentication yes<br \/>\nCiphers<\/p>\n<p><span style=\"color: #ff0000;\"><strong>PermitRootLogin no<\/strong><\/span><\/p>\n<p>root should never be used since it much more secure to use a regular user instead and then you need to perform a administrative task use the command sudo instead which gives you temporary administrative rights<br \/>\nWe are also going to prevent the possibility to log in with password (you will be forced to use the private key). Find the rows which looks like\u00a0 this:<\/p>\n<p>PermitRootLogin yes<\/p>\n<p><strong>Modify it to look like this<\/strong><\/p>\n<p><span style=\"color: #ff0000;\"><strong>PermitRootLogin no<\/strong><\/span><\/p>\n<p><strong>Find the row which look like this<\/strong><\/p>\n<p>#PasswordAuthentication yes<\/p>\n<p><strong>Modify it to look like this<\/strong><\/p>\n<p><span style=\"color: #ff0000;\"><strong>PasswordAuthentication no<\/strong><\/span><\/p>\n<p>At the end Cipers is going to be added and it may not apply never installations but the default ciphers has not always been the best choices and sshd should be forced to only use the strongest ones.<\/p>\n<p>Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc<\/p>\n<p><strong>Verify these entries:<\/strong><\/p>\n<ul>\n<li>Protocol 2<\/li>\n<li>UsePrivilegeSeparation yes<\/li>\n<li>StrictModes yes<\/li>\n<li>RSAAuthentication yes<\/li>\n<li>PubkeyAuthentication yes<\/li>\n<\/ul>\n<p><em>Save and exit<\/em><\/p>\n<p><strong>Restart to active the settings.<\/strong><\/p>\n<p># ~\/.ssh$ sudo service ssh restart<br \/>\nor<br \/>\n# systemctl restart sshd<\/p>\n<p><strong>Verified that SSHD is running<\/strong><\/p>\n<p># systemctl status sshd<\/p>\n<p>Enable visual identification of the servers fingerprint (Visual Host Key)<br \/>\nIt\u2019s not easy to verify and remember the fingerprint of a host since it\u2019s a long hexadecimal string that may look like this one: \u201d 31:b0:be:0b:5b:7c:f1:79:65:e4:72:42:18:08:c4:8d\u201d , some one may have altered the DNS record so that you in fact are trying to authenticate to a rouge server and to remember that string is near impossible. . It\u2019s more easy to remember a visual fingerprint but it\u2019s still not bulletproof. It\u2019s absolute best to verify the exact string every time and that is done by most SSH clients and for example openssh stored them in ~\/.ssh\/known_hosts and gives you a warning if it has changed.<\/p>\n<p><strong>Do the following to enable visual host key<\/strong><\/p>\n<p>Edit eider \/etc\/ssh\/ssh_config witch effects all users on the system or ~\/.ssh\/config to enable it for a single user.<\/p>\n<p>Add the following lines (\u201cHost * is already at top of ssh_config)<\/p>\n<p>Host *<br \/>\nVisualHostKey yes<\/p>\n<p><strong>Test and verify<\/strong><br \/>\nIt\u2019s now time to test and verify. You should not be able to log in without your private key and password authentication should been disabled. You should also see your visual finger print when you tries to log in.<\/p>\n<p>Your SSH should be more safe now but remember that SSH probably was the most secure software from the beginning with default settings and MySQL, Apache or any other system also has to be secured.<\/p>\n<p><em><strong>Enjoy!<\/strong><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>There are some steps to do after SSH is installed on a system and there is a old saying that says \u201cA chain is only as strong as its weakest link\u201d and if you are using a weak password for your root account (or any other account) then you are extremely vulnerable. It does not &hellip; <a href=\"https:\/\/easy-admin.ca\/index.php\/2016\/06\/18\/configure-ssh-for-high-security-rsa-4096-bits\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Configure SSH for high security RSA-4096 Bits<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-537","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/537","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/comments?post=537"}],"version-history":[{"count":0,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/537\/revisions"}],"wp:attachment":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/media?parent=537"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/categories?post=537"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/tags?post=537"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}