Search

Know How: Securing A Web Server with Public Key Encrytion

    Sumit Pore
Listen to this article

web-security The importance of online privacy in today’s world cannot be overstated. Day in and day out we read about how our online presence faces a constant threat of prying eyes and incessant snooping, or how a multi-billion dollar company has had its servers hacked and the data it worked to hard to protect strewn all over the digital space, for everyone to see (and ‘share’).

It’s crucial that the data that is rightfully yours stays secure and stays private. While there are several ways of accomplishing this, the first step is almost always implementing safeguards in place when it comes to authenticating access to your web server.

[space]

Let’s begin with the basics.

When we setup a server, the basic authentication that we provide in order to secure the connection is a password. So that when we connect via an SSH to the server, all we have to do is enter the set password and bingo, we are connected.

Though the process is simple, it is NOT SECURE. An authentication of this form is fragile in terms of security strength and is extremely vulnerable to brute force attacks.

And if the data that you plan on securing is highly sensitive, using a basic password in combination with a common username is as good as digging your own grave.

So how exactly can we secure our server?

One highly effective way is to use public key encryptions on the server.

Private key and Public key are generated as an encryption-decryption pair. Data that is encrypted with a public key can only be decrypted using a corresponding private key. Think of public key as a lock. This lock is placed on the server, with the private key as the only way to unlock it.

Creating Private key and Public key

Let’s assume that the IP address of the server that we want to connect to is 10.10.10.10. In the commands below, replace ‘username’ with your actual username that you use on the server.

Connect to the server. Open your terminal and fire the command:

ssh username@10.10.10.10

It should prompt you for the server password. Once you are logged it, follow the commands below:

cd ~/
ssh-keygen -t rsa -b 2048 -v -f username

It will ask you for passphrase. Think of a strong passphrase and note it down after you enter it. Passphrase should at least be 8 characters long.

Once above command is successfully executed, run below commands.

less username

This opens the contents of the private key. Create a new file on your computer, say newfile.pem and copy the contents of the private key into the file. Once that’s done you can close the file on the server by pressing q.

Up next is removing the files from the server, the command for which is:

rm username

Let’s save the public key that we generated under the account. Enter the commands given as:

mkdir .ssh
chmod 700 .ssh
cat username.pub >> .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
chown username .ssh
chown username .ssh/authorized_keys
rm username.pub
exit

This would program the server to respond to our private key.

Assuming you have the private key saved on your Desktop with the name newfile.pem, as illustrated above, this is how you will connect to the server with new username.

sudo chmod 400 ~/Desktop/newfile.pem
ssh [email protected] -i ~/Desktop/newfile.pem 

The system will then ask you for the passphrase while connecting.

Once you enter the correct passphrase, you should be logged into the system, indicating that both Private and the Public keys are correctly setup.

Note: Proceed with the rest of this text only if you are logged into the server.

Lastly, we have to restrict the server from accepting conventional passwords. To accomplish that, you need to connect to the server via SSH as a root user or as a user who has access to super admin privileges.

Once you are logged in, open the /etc/ssh/sshd_config file and search for PasswordAuthentication. Set the value for this attribute as ‘no’, so that line looks something like PasswordAuthentication no

If that line is commented upon, uncomment it and then proceed to restart the ssh with the following command

sudo service ssh restart

That’s it. Your server will no longer let users access SSH via simple passwords, and will only use the combination of encryption keys to authenticate access.

But this is just the beginning. There could potentially be hundreds of variables that need to be taken care of to truly fortify your website from online predators.

And if your  website happens to be on WordPress, a good place to start would be a list of Do’s and Dont’s for WordPress Web Security.

Stay safe and stay sharp!

Sumit Pore

Sumit Pore

Leave a Reply

Your email address will not be published. Required fields are marked *

Get The Latest Updates

Subscribe to our Newsletter

A key to unlock the world of open-source. We promise not to spam your inbox.

Suggested Reads

Join our 55,000+ Subscribers

    The Wisdm Digest delivers all the latest news, and resources from the world of open-source businesses to your inbox.

    Suggested Reads