SSH is the most common tool to connect to a VPS. If you are someone who connects to servers as a part of their role, I have listed 6 easy-to-use and practical tips to make your experience more secure and productive.
Tip 1- Create SSH Profiles
SSH profiles are an interesting way to make it easy to connect to a server using SSH. Let's say you are using a custom username and port number to connect to your server, so each time you would like to connect to the VPS, you need to use ssh command like this:
ssh [USERNAME]@[IP_ADRESS] -p [PORT_NUMBER]
Finding and entering these ssh parameters each time can be frustrating. Instead, you can simply create a profile using the SSH config file, so the next time, you can connect using the profile name rather than connection info. Profiles are stored in the ~/.ssh/config file. The below code snippet shows the corresponding configuration for the above-mentioned connection info.
Host [PROFILE_NAME]
HostName [IP_ADDRESS]
User [USERNAME]
IdentitiesOnly yes
IdentityFile ~/.ssh/id_rsa
Port [PORT_NUMBER]
Now, you can access the VPS only with the profile name benefiting auto-completion. Enjoyed it? jump to the next one to get more fun.
ssh [PROFILE_NAME]
Tip 2- Connect without a Password
Although having a strong password can effectively increase the security level of your VPS, recalling it each time you want to log in can be frustrating. The good news is that if you are using specific machines to log in to your servers, you can set a public/private key pair so that you don't need to provide a password each time.
First, you should generate an ssh key pair on your local machine; then, press enter button a couple of times until they are generated (These steps are to set a location, a filename and a passphrase but they can remain default).
# Create a key pair
ssh-keygen -t rsa
Now, you need to copy the generated key to the remote server using ssh-copy-id command.
ssh-copy-id [USERNAME]@[IP_ADDRESS] -p [PORT_NUMBER]
# or if you have already set a profile configuration
ssh-copy-id [PROFILE_NAME]
Try to connect to the remote server and you should be logged in without being prompted for a password. Just keep in mind, you should not use key pairs on shared machines as can be a security vulnerability.
Tip 3- Block root Access
Although some VPS hosting services provide connection configuration using an out-of-the-box admin user rather than root, generally, you will connect to the VPS using root access. Removing root access from SSH guarantees that the username must be provided at login time as root is the default username.
Be careful that before blocking the root access you need to create an admin user you are going to use instead of root. Otherwise, you may lose access to the VPS.
Another plus for blocking root access is avoiding unintentional changes on the server as new admin user access can be limited. To create a new so-called admin user on Ubuntu uses the below code snippet. As well, to prepare the created user for SSH login, you need to set a password as soon as you create that.
# Add a new user (e.g. admin)
sudo useradd -m admin
# Set a password for new user
sudo passwd admin
# Add user to sudoers' list
sudo usermod -aG sudo admin
Now, to remove the root access you need to set PermitRootLogin entry to no in the SSH config file located in /etc/ssh/sshd_config and restart the sshd service.
# Restart sshd service
systemctl restart sshd
EDITED-After implementing the previous tip, you might find it difficult to switch from admin to root by providing a password. You can do this much more simpler by removing the password prompt. To this end, you can add a new line of config to /etc/sudoers file after root ALL=(ALL:ALL) ALL.
admin ALL=NOPASSWD:ALL
As well, you need to comment %sudo ALL=(ALL:ALL) ALL line to be like this:
#%sudo ALL=(ALL:ALL) ALL
Now, you should be able to switch to root using su command. As a result, just after logging in with admin user, you can simply switch to root without getting any password prompt.
# Swith to root user without providing password
sudo su root
Tip 4- Changing SSH Port
Changing the port number is a simple way to hide a VPS from crawlers. SSH uses port 22 by default, however, you can simply modify it to any port number from 1024 to 65,535 (ports 0 to 1023 are reserved). Nevertheless, using a 5-digit and uncommon port number is recommended. To do this, you can modify the port number in /etc/ssh/sshd_config by setting Port entry and reset sshd service.
NOTE - Before updating the SSH port number, be sure that you have opened the new port number through ufw if the firewall is already active. I you don't know what this means, please don't touch the port number until you have read ufw tip in the below sections.
# Restart sshd service
sudo systemctl restart sshd
Tip 5- Block Unused Ports
Although firewall configuration is not an SSH-related tip, it is worth mentioning as it is a crucial step when you are trying to connect to a VPS. Using a firewall in Ubuntu is not that much complex as you might expect. In Ubuntu, there is an out-of-the-box firewall named Uncomplicated Firewall and as can be inferred from its name it's easy to use. ufw is the command-line tool for working with that. By activating ufw you can control the network stream using different filters like ports and IPs. To this end, you can use allow and deny commands to manage a port.
NOTE - Before activating the firewall, make sure the SSH port is allowed (default port 22 unless you have changed it before), otherwise, you will lose your access to the VPS.
# Open SSH port
sudo ufw allow ssh
# - OR -
sudo ufw allow [SSH_PORT]
# Block a port
sudo ufw deny [UNUSED_PORT]
# Activate firewall
sudo ufw enable
# Check firewall status
sudo ufw enable
Tip 6- Block ping Requests
Similar to Tip 5, this topic is not related to SSH, but it's a simple yet effective action to elevate the server's security. Ping service responds to icmp packets requested from a client and it is widely used to test whether a server is reachable over a specific IP address or not. However, it can be used by crawlers to find your server's IP address as you are responding to their ping requests.
To deactivate ping permanently (which means it won't be activated again after reboot) you need to switch to root user and set net.ipv4.icmp_echo_ignore_all = 1 in /etc/sysctl.conf file (append if it's not existing in the file) and run sysctl -p command afterwards. In some Linux distros, you may notice that the setting is gone. In this case, you can try to append the same line of setting to /etc/ufw/sysctl.conf file.
# Switch to root
su root
# Append the config file
nano /etc/sysctl.conf
# OR
nano /etc/ufw/sysctl.conf
ow sysctl -p
Now, you try to ping the server and make sure that it's working.
Final Words!
These tips will help you to have a better experience in working with an SSH client. Keep in mind, if you find something tedious in your everyday work, you may find a better way to do that. Just be careful, in working with a VPS, a simple mistake may result in a major security risk or maybe a loss in your access to your server.
Top comments (4)
I am wondering. Would you suggest always on all servers block ping request? Could it somehow improve security?
No, I wouldn't. If so, ping could be known as a security issue not a useful service. However, I think a hidden IP is superior to a visible IP.
Yep, but disabling ping will not hide your IP. Am I wrong?
You're right, by the way, it's a security measure even if it slightly increases the security