1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Securing SSH with RSA?

Discussion in 'Bits & Bytes' started by Susan Addams, Oct 18, 2017.

  1. Susan Addams

    Susan Addams Unregistered User

    Currently setting up a new Debian 8 server and figured securing SSH was the first step. Running Win7 here with WinSCP and PuTTy and having trouble understanding how to set public and private keys.

    It's my first assignment on my new IT job. Maybe it's a test. I gotta have the server up and running by Friday, serving multiple sites. At least I don't have to design their site.

    I can push the button and have my Debian server reset anytime I want (takes an hour or so) but why waste tine configuring it until I secure SSH? I mean, I can set up LAMP and all that, and then mess up securing SSH, get locked out, and all my time would be wasted because I'd have to push the button and reset the server to get SSH access back, along with a virgin server.

    I don't want to ask my IT colleagues because it's too stupid a question to ask.

    All I want is links to articles with instructions relevant to my Win7 desktop and Debian 8 server. And the server is on the other side of the pond. :)

    I don't understand why they don't just give us Debian desktops if we're managing Debian servers. Maybe they have a corporate license from MSFT. Lucky me they aren't running IIS on their servers. :)
     
  2. Biker

    Biker Administrator Staff Member

  3. Susan Addams

    Susan Addams Unregistered User

    Thank you! I was pleasantly surprised by your prompt answer!

    One way to find out what kind of a forum one is is to ask a few questions and look at the answers. Thank you for the high quality answer! I know I can always count that every forum has at least one tech guru or they wouldn't have a forum! :)
     
  4. Susan Addams

    Susan Addams Unregistered User

    Thank you Biker. You put me on the right path and I ended up securing my SSH with RSA after reading several tutorials. Now I sign in with a public key private key system, one that is not subject to dictionary attack. Just too many f'n numbers.

    I laughed at the idea that moving your SSH to a different port would accomplish anything. Security via obscurity is a laughable concept. I learned that during my IT training.

    I still have my job. I must be doing something right! :)

    I have my server zipped up tight via SSH keys, and use WinSCP over SSH for file transfer. Like an idiot would install FTP...

    I also secured all my sites and my email server too via certs provided by Let's Encrypt - Free SSL/TLS Certificates which made me laugh since some cert issuers are selling certs that are no more authoritative than the free certs from Let's Encrypt. I have a fave domain registrar reselling certs and they agreed with me in chat that the certs they were selling were no better than the free ones provided by Let's encrypt.

    I'm doing my own share to drive the whole Internet to encrypted HTTPS and at least my email server requires encrypted login. I'm not sure yet if the text is encrypted (probably not) but at least my users can't have their passes sniffed.

    All my sites are available via HTTPS although I had problems forcing a 301 redirect from HTTP to HTTPS so I just left it optional. I have too many potential problem areas including CloudFlare (and possibly my choie of nginx over Apache) and decided to worry about mandating HTTPS until later. Too many work related problems to spend time on my hobby and anyway I have no shopping sites, so nothing I serve would benefit by requiring HTTPS.

    It still appeals to me to get rid of HTTP and encrypt the whole Internet.

    By the way it was a major PITA to get Gmail to accept my server's emails but I finally got it sussed, but forgot now what the last step that made it work was. Anyway emails sent off my mail server now don't get auto-filed in Gmail's spam folders of recipients. If you can get Gmail to accept your server's email relays then you have it made.

    p.s. I found that Postfix + Dovecot works well as a very usable system.
     
  5. Biker

    Biker Administrator Staff Member

    Definitely move the port. If you pay attention to your logs, you'll find that many script kiddies will be banging on that particular door. Why give them that one, when moving SSH to another port is a matter of a few seconds?

    There are times when FTP is still preferable. There's nothing wrong with installing/activating for the job at hand, then removing it afterwards.

    While the freebies work for many, a business environment should probably use a more in depth certificate due to the peace of mind it provides to customers accessing the site. As a minimum, I would expect a business to use a Organization Validated certificate.

    Htaccess Rewrites - Rewrite Tricks and Tips

    Redirecting to HTTPS is simple.

    Options+FollowSymLinks
    RewriteEngineOn
    RewriteBase/
    RewriteCond%{HTTP_HOST}!^www\.askapache\.com$ [NC]
    RewriteRule^(.*)$ https://www.askapache.com/$1 [R=301,L]

    That's it.

    Working with .htaccess will give you migraines. There's usually more than one way to do something, and you'll also find that out of the myriad ways of doing the same thing, only one of them will work on your server.
     
  6. Susan Addams

    Susan Addams Unregistered User

    You know your stuff Biker. :)

    This server isn't for work. It's my private server. I don't have any business stuff on it although I do serve my business email on my Postfix/Dovecot MX. That's locked down via Let's Encrypt certs. ... I work part time in IT and part time as an investor... Definitely got my MX locked down good! Even Gmail likes me! :)

    .htaccess doesn't work all that well on my server. I'm using nginx! LOL! :) We do use Apache at work but it's not my prob to manage that stuff. I work more on web apps at work. This is my private server, just a hobby, and other than the business email (I'm an investor and eBay seller) there is no business web activity. I've been using nginx and Debian for 4-5 years and like the way they work, and have same 4-5 years experience at managing nginx/Debian. I know Apache is more popular but I just like nginx. I've done some Apache at work and admit it can be easier at times.

    I'll consider changing my SSH port although I don't see the point since dictionary attacks won't work on my SSH. Let the script kiddies play with it, it will keep them from causing mischief on other servers that aren't locked down. Anyway wouldn't a simple port scan find my SSH at a different port? (Not into setting up the port knocking stuff.) Without the RSA certs they're out of luck. Oh another factor. My server is in EU and I'm not. If I lock myself out changing my SSH port I'll be in real trouble, have to pay my host hourly to let me back in. I got the SSH RSA working and hesitant to mess with it. In case I didn't mention I'm in US. I can't exactly drop in to their server farm.

    I really like the way WinSCP piggy-backs on SSH, see no need for vsftp. I had a crappy FTP client anyway. WinSCP has a really nice interface, I'm quite used to it, and I can't think of a single thing I don't like about it. I love it! :)

    I'm going HTTPS on the websites just because I can and Let's Encrypt certs are free. Verisign costs way too much for a hobby server. More than my server rent in fact. And I may be wrong but I think that's per site.
     

Share This Page