<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Murilo Negrao</title>
    <description>The latest articles on DEV Community by Murilo Negrao (@murilo_negrao_59aada6e774).</description>
    <link>https://dev.to/murilo_negrao_59aada6e774</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1648482%2Fdccedd6a-f93d-4bcb-953d-aa93cb033279.jpg</url>
      <title>DEV Community: Murilo Negrao</title>
      <link>https://dev.to/murilo_negrao_59aada6e774</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/murilo_negrao_59aada6e774"/>
    <language>en</language>
    <item>
      <title>Do you access a server with username and password? It's a combination padlock facing the street</title>
      <dc:creator>Murilo Negrao</dc:creator>
      <pubDate>Fri, 17 Jul 2026 12:50:07 +0000</pubDate>
      <link>https://dev.to/murilo_negrao_59aada6e774/do-you-access-a-server-with-username-and-password-its-a-combination-padlock-facing-the-street-cn3</link>
      <guid>https://dev.to/murilo_negrao_59aada6e774/do-you-access-a-server-with-username-and-password-its-a-combination-padlock-facing-the-street-cn3</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;✍️ This post was written with two hands.&lt;/strong&gt; The story — the first part — is Murilo's, lived and told by the person who was there. The &lt;strong&gt;technical manual&lt;/strong&gt;, at the end, was written with AI. The split is intentional and marked in the text. Nothing hidden about the seam: part is human, part is machine, and the reader sees both.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;If you've ever managed or logged into a web server and never set up SSH keys, it's because you don't yet know the real risks of a break-in — and that's okay. Until you find out what can happen.&lt;/p&gt;

&lt;p&gt;Logging into a server over SSH with a username and password is like locking the front door of a house that faces the street, with nobody keeping watch. Anyone can try as many combinations as they want, freely.&lt;/p&gt;

&lt;p&gt;And setting this up takes almost as much time as typing a username and password — and it makes getting into the server much faster and easier afterwards.&lt;/p&gt;

&lt;p&gt;Ignorant of best practices, I managed my servers for a long time by typing:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight ssh"&gt;&lt;code&gt;&lt;span class="k"&gt;ssh&lt;/span&gt; user@server-ip
&lt;span class="k"&gt;password&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That nearly cost me dearly, the day I found out my server had been broken into.&lt;/p&gt;

&lt;p&gt;After that incident, I realized just how vulnerable a username and password are on SSH.&lt;/p&gt;

&lt;p&gt;Today I can't say I sleep soundly — no system is completely break-in proof — but I sleep a lot better (and honestly, I always slept well, until I started managing servers).&lt;/p&gt;

&lt;p&gt;Waking up on a fine Sunday morning to do some maintenance on the server, and finding out it was broken into through the front door because you left a combination padlock facing the street — that is not the kind of surprise I'd wish on anyone.&lt;/p&gt;

&lt;p&gt;I have a degree in Law. I worked for 15 years in the legal field at a public institution, until I decided to venture into the world of programming.&lt;/p&gt;

&lt;p&gt;And where did I end up? Managing systems at the institution I work for, after spending some time building automations in Python.&lt;/p&gt;

&lt;p&gt;Managing systems wasn't exactly what I had in mind when I wanted to learn to code and understand the world of programming.&lt;/p&gt;

&lt;p&gt;But that opportunity ended up teaching me far more about systems in general, about how the internet works — much more than I imagined back when the urge to work in development first hit me.&lt;/p&gt;

&lt;p&gt;Today I can't picture myself doing anything other than this: automating deploys and backups, improving application performance on the server side, monitoring, alerting.&lt;/p&gt;

&lt;p&gt;When it comes to SSH, there are bots scanning the internet all day long, trying usernames and passwords on the default port of servers all over the world. A weak, obvious, or reused password falls fast — it's just a matter of the right bot knocking on your door.&lt;/p&gt;

&lt;p&gt;A truly strong password holds up much longer: since every attempt has to travel back and forth across the network, brute-forcing it takes far too long to be worth it. But it's still a secret — and any secret can leak, be reused on a service that got compromised, or end up in the wrong place. That kind of slip doesn't usually happen to a good systems administrator. Which, at the time, I was not.&lt;/p&gt;

&lt;p&gt;So one way to minimize the risk is to disable password login and allow access only through SSH keys.&lt;/p&gt;

&lt;p&gt;Even if you use a tool to fend off repeated attempts, like fail2ban, it's still less effective and less secure than SSH keys, because an attacker can switch IPs or use other tricks to get around it.&lt;/p&gt;

&lt;p&gt;With an SSH key pair, the attacker only gets in if they get hold of the key. And for that, your slip-up has to be a bigger one — leaving it exposed somehow, or sharing it with the wrong people.&lt;/p&gt;

&lt;p&gt;When you set up the key pair, you put the padlock on the door and keep the key on your computer — so access happens only with the private key. And you can put that padlock on as many servers as you want.&lt;/p&gt;

&lt;p&gt;In other words: you create a pair of keys, one private and one public.&lt;/p&gt;

&lt;p&gt;The private one is the key; the public one is the padlock.&lt;/p&gt;

&lt;p&gt;So you hold on to the key and place as many padlocks as you like on the servers you manage.&lt;/p&gt;

&lt;p&gt;First benefit: security.&lt;/p&gt;

&lt;p&gt;On top of that, you can set up an alias. Instead of typing &lt;code&gt;ssh name@server-ip&lt;/code&gt; and then the password every single time you want to reach the server, you just type &lt;code&gt;ssh alias&lt;/code&gt;. It will ask for the passphrase you configured — only on the first access.&lt;/p&gt;

&lt;p&gt;For the next ones that use that key — even on other servers — it's just &lt;code&gt;ssh alias&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;With that, you get both more security and more speed when accessing your servers.&lt;/p&gt;

&lt;p&gt;A padlock with a key is harder for an intruder to open than a combination padlock — wouldn't you agree?&lt;/p&gt;

&lt;p&gt;Luckily, when my server was broken into, it was a test machine I had just wiped to install a few applications for testing — I hadn't configured anything yet, nor deployed a single app. Damage contained, but the scare was real.&lt;/p&gt;

&lt;p&gt;Want to know how to set up SSH keys in practice? Below is a tutorial put together with the help of AI, and at the end a checklist and a command map — for both your PC and the server — to configure SSH keys, with a full, step-by-step explanation.&lt;/p&gt;

&lt;p&gt;If you have any questions, I'm happy to chat. I love talking about technology, infrastructure, DevOps, SRE, and related topics.&lt;/p&gt;




&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;🤖 From here on: technical manual, written with AI.&lt;/strong&gt; I told my story. Now comes the practical step-by-step — the part AI writes well. If you manage any server (a $5 VPS, an EC2 instance, the company machine), you can do this today, in about 20 minutes.&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  The step-by-step — swapping password for key on your server
&lt;/h2&gt;

&lt;p&gt;This is the hands-on part. I won't just list commands — I'll explain the &lt;em&gt;why&lt;/em&gt; behind each one, because understanding the reason is what lets you touch a production server without breaking into a cold sweat.&lt;/p&gt;

&lt;h3&gt;
  
  
  1. How the key works under the hood
&lt;/h3&gt;

&lt;p&gt;You already saw the idea in the story above: the public key is the padlock, the private key is the key. It's just worth understanding what happens at the moment of login.&lt;/p&gt;

&lt;p&gt;When you connect, the server sends a challenge that &lt;strong&gt;only the holder of the private key can solve&lt;/strong&gt;. Your machine solves that challenge locally and sends back only the answer — the private key itself never travels across the network, not even during login.&lt;/p&gt;

&lt;p&gt;That's where the difference from a password lives. A password is a secret that leaves your machine every time and &lt;em&gt;can be guessed&lt;/em&gt;. The private key never leaves, and can't be guessed: an Ed25519 pair is such an astronomically large number that brute-forcing it stops being an option. You're not using a stronger password — you're switching to a mechanism where guessing simply doesn't exist.&lt;/p&gt;

&lt;h3&gt;
  
  
  2. Generate your key pair
&lt;/h3&gt;

&lt;p&gt;On &lt;strong&gt;your computer&lt;/strong&gt; (not on the server):&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;ssh-keygen &lt;span class="nt"&gt;-t&lt;/span&gt; ed25519 &lt;span class="nt"&gt;-C&lt;/span&gt; &lt;span class="s2"&gt;"your-user@laptop-2026"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;-t ed25519&lt;/code&gt; — the algorithm. Ed25519 is modern, fast, and secure. Forget the old RSA.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;-C&lt;/code&gt; — a comment that stays attached to the public key. Use something that identifies the &lt;em&gt;machine&lt;/em&gt; (e.g., &lt;code&gt;your-user@laptop-2026&lt;/code&gt;). Later on, this tells you which key is which.&lt;/li&gt;
&lt;li&gt;Accept the default path (&lt;code&gt;~/.ssh/id_ed25519&lt;/code&gt;).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Set a strong passphrase.&lt;/strong&gt; It's the password &lt;em&gt;for the key&lt;/em&gt;. It's your second layer: if someone steals the private key file, they still need the passphrase to use it. Don't skip this.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This creates two files:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;File&lt;/th&gt;
&lt;th&gt;What it is&lt;/th&gt;
&lt;th&gt;Safe to share?&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;~/.ssh/id_ed25519&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Private key&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Never.&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;~/.ssh/id_ed25519.pub&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Public key&lt;/td&gt;
&lt;td&gt;Yes, freely.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The private key must be readable only by you. Check, and fix it if needed:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;ls&lt;/span&gt; &lt;span class="nt"&gt;-la&lt;/span&gt; ~/.ssh/id_ed25519     &lt;span class="c"&gt;# should show permission -rw------- (600)&lt;/span&gt;
&lt;span class="nb"&gt;chmod &lt;/span&gt;600 ~/.ssh/id_ed25519
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  3. Get the public key onto the server
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;ssh-copy-id user@server-ip
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This command asks for the &lt;strong&gt;server password&lt;/strong&gt; — and that is, literally, the last time you'll type it. It copies your public key into the server's &lt;code&gt;~/.ssh/authorized_keys&lt;/code&gt; file, which is the list of padlocks that server accepts.&lt;/p&gt;

&lt;p&gt;Test it:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;ssh user@server-ip
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;An important detail to confirm it worked: if it asks for a &lt;strong&gt;passphrase&lt;/strong&gt;, you're good — that's the passphrase &lt;em&gt;for your key&lt;/em&gt;. If it asks for a &lt;strong&gt;password&lt;/strong&gt;, you're still using the server's password. These are different things; pay attention to which word shows up.&lt;/p&gt;

&lt;h3&gt;
  
  
  4. Give your servers nicknames
&lt;/h3&gt;

&lt;p&gt;Memorizing IPs is a waste of headspace. Create the &lt;code&gt;~/.ssh/config&lt;/code&gt; file on your computer:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight ssh"&gt;&lt;code&gt;&lt;span class="k"&gt;Host&lt;/span&gt; app-prod
    &lt;span class="k"&gt;HostName&lt;/span&gt; &lt;span class="m"&gt;203&lt;/span&gt;.0.113.10
    &lt;span class="k"&gt;User&lt;/span&gt; deploy

&lt;span class="k"&gt;Host&lt;/span&gt; app-staging
    &lt;span class="k"&gt;HostName&lt;/span&gt; &lt;span class="m"&gt;203&lt;/span&gt;.0.113.20
    &lt;span class="k"&gt;User&lt;/span&gt; deploy

&lt;span class="c1"&gt;# Applies to every host above&lt;/span&gt;
&lt;span class="k"&gt;Host&lt;/span&gt; *
    &lt;span class="k"&gt;IdentityFile&lt;/span&gt; ~/.ssh/id_ed25519
    &lt;span class="k"&gt;AddKeysToAgent&lt;/span&gt; &lt;span class="no"&gt;yes&lt;/span&gt;
    &lt;span class="k"&gt;ServerAliveInterval&lt;/span&gt; &lt;span class="m"&gt;60&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;(The aliases and IPs above are fictional — replace them with your own.)&lt;/p&gt;

&lt;p&gt;Fix the permission (&lt;code&gt;chmod 600 ~/.ssh/config&lt;/code&gt;) and that's it — now you connect like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;ssh app-prod        &lt;span class="c"&gt;# instead of ssh deploy@203.0.113.10&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;code&gt;ServerAliveInterval 60&lt;/code&gt; sends a little signal every 60s so your connection doesn't drop on its own when you go a while without typing.&lt;/p&gt;

&lt;h3&gt;
  
  
  5. Close the password door
&lt;/h3&gt;

&lt;p&gt;Working with a key isn't enough — as long as the password is still accepted, brute-forcing is still possible. The final step is to &lt;strong&gt;disable password authentication&lt;/strong&gt;.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;⚠️ The golden rule: don't lock yourself out.&lt;/strong&gt; &lt;strong&gt;Keep your current SSH session open throughout this whole step.&lt;/strong&gt; You'll test the new configuration in a &lt;em&gt;second&lt;/em&gt; terminal window, without closing the first. If something goes wrong, the old session is still there for you to undo it. Only close it once the test passes.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Connected to the server, edit the SSH daemon configuration:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;nano /etc/ssh/sshd_config
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Make sure these four lines look like this (uncomment any that have a &lt;code&gt;#&lt;/code&gt; in front):&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight ssh"&gt;&lt;code&gt;&lt;span class="k"&gt;PermitRootLogin&lt;/span&gt; &lt;span class="no"&gt;no&lt;/span&gt;
&lt;span class="k"&gt;PasswordAuthentication&lt;/span&gt; &lt;span class="no"&gt;no&lt;/span&gt;
&lt;span class="k"&gt;PubkeyAuthentication&lt;/span&gt; &lt;span class="no"&gt;yes&lt;/span&gt;
&lt;span class="k"&gt;KbdInteractiveAuthentication&lt;/span&gt; &lt;span class="no"&gt;no&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;PermitRootLogin no&lt;/code&gt; — no one logs in directly as &lt;code&gt;root&lt;/code&gt;. You log in as a regular user and use &lt;code&gt;sudo&lt;/code&gt; when needed.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;PasswordAuthentication no&lt;/code&gt; — the heart of the change: passwords are no longer accepted.&lt;/li&gt;
&lt;li&gt;The other two make sure the key is the way in, and close off an alternative password method.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Before applying it, &lt;strong&gt;validate the syntax&lt;/strong&gt; — a typo here can take SSH down:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;sshd &lt;span class="nt"&gt;-t&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If it prints nothing, you're clean. Then restart the service:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;systemctl restart ssh
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;📝 If &lt;code&gt;ssh&lt;/code&gt; isn't the service name.&lt;/strong&gt; On some distributions the service is called &lt;code&gt;sshd&lt;/code&gt;. If the command above complains, use &lt;code&gt;sudo systemctl restart sshd&lt;/code&gt;.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Now the test — &lt;strong&gt;without closing the current session&lt;/strong&gt;. Open a new terminal:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;ssh app-prod
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Got in with the key? Great. Now confirm the password is really dead:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;ssh &lt;span class="nt"&gt;-o&lt;/span&gt; &lt;span class="nv"&gt;PubkeyAuthentication&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;no user@server-ip
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This command tells SSH to ignore the key on purpose. The expected result is &lt;code&gt;Permission denied&lt;/code&gt;. If you got a "Permission denied", &lt;strong&gt;congratulations — the password door is shut.&lt;/strong&gt; Now you can finally close the old session.&lt;/p&gt;

&lt;h3&gt;
  
  
  6. Guard the private key like the treasure it is
&lt;/h3&gt;

&lt;p&gt;Your private key is your identity on those servers. Lose the file = lose access. Leak the file = hand access to someone else. Treat it accordingly.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Do:&lt;/strong&gt; save the key's contents in a &lt;strong&gt;secure note inside a password manager&lt;/strong&gt; (Bitwarden has a free plan and works well). Copy the contents with &lt;code&gt;cat ~/.ssh/id_ed25519&lt;/code&gt; and paste them into a Secure Note. Keep the passphrase in a &lt;em&gt;separate&lt;/em&gt; place.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Don't:&lt;/strong&gt; save the key on Google Drive, Dropbox, or OneDrive. Those services sync the file automatically across several devices and expose it through the browser. You lose control over where your identity lives.&lt;/p&gt;

&lt;h3&gt;
  
  
  7. Two extra tweaks worth the effort
&lt;/h3&gt;

&lt;p&gt;Optional, but recommended on servers exposed to the internet:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Change the SSH port.&lt;/strong&gt; Port 22 is the default and takes 100% of the bot noise. Moving to another port isn't real security (it's just hiding), but it drastically cuts the junk in your logs. Add &lt;code&gt;Port XXXX&lt;/code&gt; to &lt;code&gt;sshd_config&lt;/code&gt; and the matching &lt;code&gt;Port XXXX&lt;/code&gt; in the host block of your &lt;code&gt;~/.ssh/config&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Install &lt;code&gt;fail2ban&lt;/code&gt;.&lt;/strong&gt; It watches the logs and temporarily bans IPs that keep trying to get in. It's your automatic sentry.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Final checklist
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;[ ] Ed25519 key created, with a strong passphrase&lt;/li&gt;
&lt;li&gt;[ ] Public key copied to all your servers&lt;/li&gt;
&lt;li&gt;[ ] &lt;code&gt;~/.ssh/config&lt;/code&gt; set up with aliases&lt;/li&gt;
&lt;li&gt;[ ] &lt;code&gt;PasswordAuthentication no&lt;/code&gt; and &lt;code&gt;PermitRootLogin no&lt;/code&gt; on all of them&lt;/li&gt;
&lt;li&gt;[ ] Tested in a new session &lt;strong&gt;before&lt;/strong&gt; closing the old one&lt;/li&gt;
&lt;li&gt;[ ] Confirmed the password is blocked (&lt;code&gt;Permission denied&lt;/code&gt; on the test)&lt;/li&gt;
&lt;li&gt;[ ] Private key in a password manager (never on synced cloud storage)&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://dev.toOptional"&gt; &lt;/a&gt; Port changed + &lt;code&gt;fail2ban&lt;/code&gt; on public servers&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Mini-manual — every command in this post
&lt;/h3&gt;

&lt;p&gt;Every command that appeared above, and what it does:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;ssh-keygen -t ed25519 -C "comment"&lt;/code&gt; — generates the key pair (private + public) using the Ed25519 algorithm.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;ssh-keygen -p -f ~/.ssh/id_ed25519&lt;/code&gt; — adds or changes the passphrase of an existing key, without changing the key itself.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;ls -la ~/.ssh/id_ed25519&lt;/code&gt; — shows the key file and its current permission.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;chmod 600 ~/.ssh/id_ed25519&lt;/code&gt; — restricts read/write of the private key to your user only.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;chmod 600 ~/.ssh/config&lt;/code&gt; — does the same for the aliases file.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;ssh-copy-id user@server&lt;/code&gt; — copies your public key into the server's &lt;code&gt;authorized_keys&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;ssh app-prod&lt;/code&gt; (or &lt;code&gt;ssh user@ip&lt;/code&gt;) — connects to the server.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;sudo nano /etc/ssh/sshd_config&lt;/code&gt; — opens the server's SSH daemon configuration for editing.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;sudo sshd -t&lt;/code&gt; — validates the &lt;code&gt;sshd_config&lt;/code&gt; syntax before applying it (prints nothing if it's OK).&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;sudo systemctl restart ssh&lt;/code&gt; — restarts the SSH service to apply the new configuration (&lt;code&gt;sshd&lt;/code&gt; on some distros).&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;ssh -o PubkeyAuthentication=no user@ip&lt;/code&gt; — forces password login on purpose; used to confirm the password is blocked (should give &lt;code&gt;Permission denied&lt;/code&gt;).&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;cat ~/.ssh/id_ed25519&lt;/code&gt; — prints the private key's contents, to copy into your password manager.&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;Murilo Negrão — backend/DevOps developer. I write about modernizing legacy stacks and the bridge between code and infrastructure.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>ssh</category>
      <category>devops</category>
      <category>security</category>
      <category>cloudcomputing</category>
    </item>
  </channel>
</rss>
