The importance of online privacy in today’s world cannot be overstated. Day in and day out we read about how our online presence faces a constant threat of prying eyes and incessant snooping, or how a multi-billion dollar company has had its servers hacked and the data it worked to hard to protect strewn all over the digital space, for everyone to see (and ‘share’).
It’s crucial that the data that is rightfully yours stays secure and stays private. While there are several ways of accomplishing this, the first step is almost always implementing safeguards in place when it comes to authenticating access to your web server.
Let’s begin with the basics.
When we setup a server, the basic authentication that we provide in order to secure the connection is a password. So that when we connect via an SSH to the server, all we have to do is enter the set password and bingo, we are connected.
Though the process is simple, it is NOT SECURE. An authentication of this form is fragile in terms of security strength and is extremely vulnerable to brute force attacks.
And if the data that you plan on securing is highly sensitive, using a basic password in combination with a common username is as good as digging your own grave.
So how exactly can we secure our server?
One highly effective way is to use public key encryptions on the server.
Private key and Public key are generated as an encryption-decryption pair. Data that is encrypted with a public key can only be decrypted using a corresponding private key. Think of public key as a lock. This lock is placed on the server, with the private key as the only way to unlock it.
Creating Private key and Public key
Let’s assume that the IP address of the server that we want to connect to is 10.10.10.10. In the commands below, replace ‘username’ with your actual username that you use on the server.
Connect to the server. Open your terminal and fire the command:
It should prompt you for the server password. Once you are logged it, follow the commands below:
cd ~/ ssh-keygen -t rsa -b 2048 -v -f username
It will ask you for passphrase. Think of a strong passphrase and note it down after you enter it. Passphrase should at least be 8 characters long.
Once above command is successfully executed, run below commands.
This opens the contents of the private key. Create a new file on your computer, say newfile.pem and copy the contents of the private key into the file. Once that’s done you can close the file on the server by pressing q.
Up next is removing the files from the server, the command for which is:
Let’s save the public key that we generated under the account. Enter the commands given as:
mkdir .ssh chmod 700 .ssh cat username.pub >> .ssh/authorized_keys chmod 600 .ssh/authorized_keys chown username .ssh chown username .ssh/authorized_keys rm username.pub exit
This would program the server to respond to our private key.
Assuming you have the private key saved on your Desktop with the name newfile.pem, as illustrated above, this is how you will connect to the server with new username.
sudo chmod 400 ~/Desktop/newfile.pem ssh email@example.com -i ~/Desktop/newfile.pem
The system will then ask you for the passphrase while connecting.
Once you enter the correct passphrase, you should be logged into the system, indicating that both Private and the Public keys are correctly setup.
Note: Proceed with the rest of this text only if you are logged into the server.
Lastly, we have to restrict the server from accepting conventional passwords. To accomplish that, you need to connect to the server via SSH as a root user or as a user who has access to super admin privileges.
Once you are logged in, open the /etc/ssh/sshd_config file and search for PasswordAuthentication. Set the value for this attribute as ‘no’, so that line looks something like PasswordAuthentication no
If that line is commented upon, uncomment it and then proceed to restart the ssh with the following command
sudo service ssh restart
That’s it. Your server will no longer let users access SSH via simple passwords, and will only use the combination of encryption keys to authenticate access.
But this is just the beginning. There could potentially be hundreds of variables that need to be taken care of to truly fortify your website from online predators.
And if your website happens to be on WordPress, a good place to start would be a list of Do’s and Dont’s for WordPress Web Security.
Stay safe and stay sharp!