So you have a brand new VPS, or an older one, and want to make it safer with SSH key based login? You are reading the right post.
Here is a referral link for Hetzner to claim your 20 eur, this will be more than enough for testing. Besides here is the link for Digital Ocean 100 USD coupon.
So now you can test VPS providers, create a server and come one!To login your VPS you will need SSH client (or terminal at least).
Please do a full update & upgrade
apt update && apt upgrade
Add a new user, because you don't want to use root. In this case I will add it as newUser
adduser newUser
Add the newly created user to the sudoers group, so you can use sudo command.
usermod -aG sudo newUser
Now login with the new user:
ssh newUser@xxx.yyy.zzz.ddd
Login with SSH key
Now we will create the SSH key. It's important, that you will do this step on your LOCAL machine. You can generate SSH key as email: "your@email.com" with the following command:
ssh-keygen -t rsa -b 4096 -C "your@email.com"
The next few seconds the command prompt will ask if the path & file name is ok for you ( it will be named as id_rsa if you don't write anything ). Besides it will ask you for password protection. I think it's very important to give the key password. It's suggested to put your keys in your user/.ssh folder and name it differently, so later you can know which key belongs to which server. Now you can copy it to your server:
ssh-copy-id -i /home/username/.ssh/generated_key.pub newUser@xxx.yyy.zzz.ddd
The system will ask for password. After everything went successfully, the window will display the following text:
Number of key(s) added: 1
Now you can login with you key (with the key's password):
ssh newUser@xxx.yyy.zzz.ddd
Better protection for SSH
You will need to setup a few things in the ssh config file.
sudo nano /etc/ssh/sshd_config
We will do the following:
- disable root login
- change default ssh port 22
- turn off password login
Important side note:
- Only do this if you can login with your SSH key!
- If you make any firewall rule, you have to open the desired port number!
Find and comment out (in case it is commented with # ):
- Port 22: change it to something else. It is practical to place the desired port number between minimum 1000 and maximum 65535.
- PermitRootLogin yes -> no
- PasswordAuthentication yes -> no
- PermitEmptyPasswords yes -> no
If you did the changes, Ctrl+O (or Cmd + O ) & Ctrl + X (or Cmd + X), then restart SSH service
sudo service ssh restart
Now after the restart ( and logout ).
ssh newUser@xxx.yyy.zzz.ddd -p desiredPortNumber
Just to save you time in the future, add these setup to your ssh config file. Edit ~/.ssh/config file, add the following block, but keep in mind, to change the values the ones you used during the setup.
Host fantasy.name.for.server.com
Hostname xxx.yyy.zzz.ddd
User newUser
Port desiredPortNumber
IdentityFile ~/.ssh/generated_ssh_key
With this addition, you can simply call the following command:
ssh fantasy.name.for.server.com
It will automatically add port number, ssh key, user, and ip address also.
Hope everything went well! Have a nice day!
