Information about SSH and secure server - sparc-software-hust/fmecg-web-server GitHub Wiki

Understanding SSH Method

SSH (Secure Shell) is a protocol used for remote control and server editing. It uses cryptographic techniques to ensure secure and encrypted communication during the process. There are three different encryption methods:

1. Symmetrical Encryption:

The key is not transmitted between the client and the host. Instead, both computers share common information and use it to generate a secret key. Even if another machine intercepts the common information, it cannot derive the secret key since it doesn't know the algorithm used to create the key. Common symmetric ciphers include AES, DES, and Blowfish.

2. Asymmetric Encryption:

This method uses two different keys for encryption and decryption: the public key and the private key. The private key must always be kept secure, for example, through a secure connection with no third-party access. The strength of the connection depends on whether the private key is exposed or not, as it is the only key that can decrypt messages encrypted by the public key. An authorized key in SSH is a public key used to grant login access to users. The authentication mechanism is called public key authentication.

3. Hashing:

Unlike the two encryption methods above, hashing is a one-way process and is not meant for decryption. Hashes create a unique, fixed-length value for each input, and there is no reverse process to retrieve the original data. SSH uses hashes to verify the authenticity of messages. This is done by HMACs (Hash-based Message Authentication Codes), which ensure that the commands are not tampered with in any way.

How SSH Works:

  • SSH operates on TCP port 22 by default (which can be changed if needed). The host (server) listens on port 22 (or another assigned port) for incoming connections. A secure connection is established after successful authentication between the client and the server's shell environment.
  • The client initiates the SSH connection by creating a TCP handshake with the server, ensuring that a symmetric connection can be established. It verifies the server’s information against stored data (usually in an RSA key store file) and authenticates the user's credentials to ensure the connection is valid.
  • There are two stages to establishing a connection:
    1. Both sides agree on an encryption standard to protect future communication.
    2. The user must be authenticated. If the login information matches, the user is granted access.

SSH Command:

The SSH command consists of three parts:

ssh {user}@{host}

ssh: Indicates that you want to open a secure shell connection. {user}: The username of the account you want to use to log in. {host}: The computer you want to access, which can be an IP address or a domain name.

Using SSH Keygen

Step 1: Generate SSH Key Pair

Open your terminal and run the following command to generate an SSH key pair:

ssh-keygen -t rsa -b 4096

Step 2: Copy Public Key to Server

Use the following command to copy the public key to the server:

ssh-copy-id username@server_ip

Replace username with the user on the server and server_ip with the server's IP address.

Step 3: SSH into Server Without a Password

After configuring the keys, you can SSH into the server without needing a password:

ssh username@server_ip

Notes:

The public key (id_rsa.pub) is stored on the server in the file ~/.ssh/authorized_keys. The private key (id_rsa) is stored on your computer and must be kept secure.

Enhancing SSH Security

  1. Use a Complex Password
  2. Disable Empty Passwords This setting prevents users without passwords from logging in via SSH. Edit the configuration file:
vi /etc/ssh/sshd_config

Add the following line:

PermitEmptyPasswords no
  1. Configure Idle Timeout Interval This setting automatically logs out users after a period of inactivity. Edit the configuration file:
vi /etc/ssh/sshd_config

Add the following lines:

ClientAliveInterval 360
ClientAliveCountMax 0
  1. Change the SSH Port
  2. Use an SSH Proxy
  3. Enable Two-Factor Authentication (Google Authenticator)
  4. Use Public/Private Keys
  5. Restrict SSH Access to Specific Users Edit the configuration file:
vi /etc/ssh/sshd_config

Add the following line:

AllowUsers user1 user2
  1. Disable Root Login for SSH
  2. Use Only SSH Protocol 2 SSH supports connections over both Protocol 1 and 2. However, Protocol 1 is outdated and less secure. Edit the configuration file:
vi /etc/ssh/sshd_config

Modify the line:

#Protocol 2, 1 => Protocol 2