diff --git a/content/blog/securing-ssh.md b/content/blog/securing-ssh.md index df21f8c..47d367c 100644 --- a/content/blog/securing-ssh.md +++ b/content/blog/securing-ssh.md @@ -1,5 +1,5 @@ +++ -title = 'Securing Ssh' +title = 'Securing SSH' date = 2024-04-04T20:44:10+02:00 draft = false +++ @@ -17,11 +17,11 @@ One of the main practice to secure ssh is by using public/private ssh key pair a First you need to generate a key pair by running the commmand `ssh-keygen`. -After generating the key and the command `ssh-copy-id ~/.ssh/key_name user@host` to copy the key to the server. +After generating the key run the command `ssh-copy-id ~/.ssh/key_name user@host` to copy the key to the server. -Connection to the server now it will ask you for the ssh key password if you set one, if you didn't then it will just directly connect it. +Connecting to the server now it will ask you for the ssh key password if you set one, if you didn't then it will just directly connect it. -While you are connected to the server now, I would recommend you to change next settings to the values I recommend to make sure you can only connect to the server with ssh key pairs already on the server. Make sure to uncommmend the values in your config, and change like I did in my examples. +While you are connected to the server now, I would change next settings to the values I recommend to make sure you can only connect to the server with ssh key pairs already on the server. Make sure to uncomment the values in your config, and change like I did in my examples. > /etc/ssh/sshd_config ```conf @@ -57,7 +57,7 @@ Next best way to secure ssh is to only allow connection from specific ip, prefer Main way I do it is using wireguard. I set it up using the landchad [guide](https://landchad.net/wireguard). -Then in your sshd config you can make it so that ssh will only accept connection to the user with only the current using syntax. +Then in your sshd config you can make it so that ssh will only accept connection to the user with only the specific up using this syntax. ```conf AllowUsers new-user@172.16.0.2 diff --git a/public/blog/index.html b/public/blog/index.html index e7e8eb9..69b9c6d 100644 --- a/public/blog/index.html +++ b/public/blog/index.html @@ -45,7 +45,7 @@
- 04-04-2024 || Securing Ssh
+ 04-04-2024 || Securing SSH
19-01-2024 || Setup Traefik
diff --git a/public/blog/index.xml b/public/blog/index.xml index 8a1fd5e..825d82d 100644 --- a/public/blog/index.xml +++ b/public/blog/index.xml @@ -12,7 +12,7 @@ -Securing Ssh +Securing SSH https://cronyakatsuki.xyz/blog/securing-ssh/ 04-04-2024 @@ -23,9 +23,9 @@ <h2 id="use-key-pairs">Use key pairs</h2> <p>One of the main practice to secure ssh is by using public/private ssh key pair and making ssh only allow connection with them, disabling password login.</p> <p>First you need to generate a key pair by running the commmand <code>ssh-keygen</code>.</p> -<p>After generating the key and the command <code>ssh-copy-id ~/.ssh/key_name user@host</code> to copy the key to the server.</p> -<p>Connection to the server now it will ask you for the ssh key password if you set one, if you didn&rsquo;t then it will just directly connect it.</p> -<p>While you are connected to the server now, I would recommend you to change next settings to the values I recommend to make sure you can only connect to the server with ssh key pairs already on the server. Make sure to uncommmend the values in your config, and change like I did in my examples.</p> +<p>After generating the key run the command <code>ssh-copy-id ~/.ssh/key_name user@host</code> to copy the key to the server.</p> +<p>Connecting to the server now it will ask you for the ssh key password if you set one, if you didn&rsquo;t then it will just directly connect it.</p> +<p>While you are connected to the server now, I would change next settings to the values I recommend to make sure you can only connect to the server with ssh key pairs already on the server. Make sure to uncomment the values in your config, and change like I did in my examples.</p> <blockquote> <p>/etc/ssh/sshd_config</p> </blockquote> @@ -48,7 +48,7 @@ AllowUsers new-user <h2 id="only-allow-connection-from-specific-ip">Only allow connection from specific ip</h2> <p>Next best way to secure ssh is to only allow connection from specific ip, preferably vpn.</p> <p>Main way I do it is using wireguard. I set it up using the landchad <a href="https://landchad.net/wireguard">guide</a>.</p> -<p>Then in your sshd config you can make it so that ssh will only accept connection to the user with only the current using syntax.</p> +<p>Then in your sshd config you can make it so that ssh will only accept connection to the user with only the specific up using this syntax.</p> <pre tabindex="0"><code class="language-conf" data-lang="conf">AllowUsers new-user@172.16.0.2 </code></pre><p>You can use the ip for the connection you use to setup the peer in the wireguard setup guide, which in landchad&rsquo;s guide is <code>172.16.0.2</code>. Or from another server by using the ip of the server you connect with wireguard to.</p> <p>Make sure to restart sshd and test out in another terminal window whether you can only connect with the wireguard connection to the server ( Don&rsquo;t close or exit the current ssh connection before making sure it all work&rsquo;s ).</p> diff --git a/public/blog/securing-ssh/index.html b/public/blog/securing-ssh/index.html index 6679f8c..2dd090a 100644 --- a/public/blog/securing-ssh/index.html +++ b/public/blog/securing-ssh/index.html @@ -9,10 +9,10 @@ - Securing Ssh - Crony Akatsuki + Securing SSH - Crony Akatsuki - + @@ -40,7 +40,7 @@ Here I will name a couple of settings and best practices to make sure your ssh i
-

Securing Ssh

+

Securing SSH

@@ -57,9 +57,9 @@ Here I will name a couple of settings and best practices to make sure your ssh i

Use key pairs

One of the main practice to secure ssh is by using public/private ssh key pair and making ssh only allow connection with them, disabling password login.

First you need to generate a key pair by running the commmand ssh-keygen.

-

After generating the key and the command ssh-copy-id ~/.ssh/key_name user@host to copy the key to the server.

-

Connection to the server now it will ask you for the ssh key password if you set one, if you didn’t then it will just directly connect it.

-

While you are connected to the server now, I would recommend you to change next settings to the values I recommend to make sure you can only connect to the server with ssh key pairs already on the server. Make sure to uncommmend the values in your config, and change like I did in my examples.

+

After generating the key run the command ssh-copy-id ~/.ssh/key_name user@host to copy the key to the server.

+

Connecting to the server now it will ask you for the ssh key password if you set one, if you didn’t then it will just directly connect it.

+

While you are connected to the server now, I would change next settings to the values I recommend to make sure you can only connect to the server with ssh key pairs already on the server. Make sure to uncomment the values in your config, and change like I did in my examples.

/etc/ssh/sshd_config

@@ -82,7 +82,7 @@ AllowUsers new-user

Only allow connection from specific ip

Next best way to secure ssh is to only allow connection from specific ip, preferably vpn.

Main way I do it is using wireguard. I set it up using the landchad guide.

-

Then in your sshd config you can make it so that ssh will only accept connection to the user with only the current using syntax.

+

Then in your sshd config you can make it so that ssh will only accept connection to the user with only the specific up using this syntax.

AllowUsers new-user@172.16.0.2
 

You can use the ip for the connection you use to setup the peer in the wireguard setup guide, which in landchad’s guide is 172.16.0.2. Or from another server by using the ip of the server you connect with wireguard to.

Make sure to restart sshd and test out in another terminal window whether you can only connect with the wireguard connection to the server ( Don’t close or exit the current ssh connection before making sure it all work’s ).