2. Secure SSH Connection
SSH access is the most standard attack vector for an online server. An incredible number of robots and hackers scan the default port 22 and gain access, with basic and elaborated credentials.
In this part, we are going to build a secure SSH connection with strong SSH keys. We will change the default SSH port to mitigate scans and brute-force attempts.
We will use the
curve25519-sha256 protocol (ECDH over Curve25519 with SHA2) for our keys here as this is considered the most secure nowadays.
This part is a modified version of bLd's guide using only Putty client to access server. If you are using Linux or MacOS, you can refer directly to the original guide to use Open SSH.
Follow this guide step-by-step. We recommend that you try to understand every step explained in this guide.
Be very careful to never close your actual session until you’ve tested the connection with your new key. You could lose access to your SSH connection.
Connect to your server using PuTTy.
- Open PuTTY
- Type the IP of your server on Azure in the field called ‘Host Name’.
- The terminal will open and you can log in with your username and password.
Let’s start by moving our actual unsecured host keys into a backup directory:
sudo mkdir backup
sudo mv ssh_host_* ./backup/
ssh config file:
sudo nano /etc/ssh/ssh_config
Add the following lines in the
Host * section and save:
CTRL+O your file and close the editor
sshd config file:
sudo nano /etc/ssh/sshd_config
In the following lines, you see that we use port 4321. This is just an example. You can use any random port within the range of 1024 to 49151. Copy these lines in your file:
CTRL+O your file and close the editor
Now, what did we just do? In detail, we told the host to:
- Use the port instead 4321 of default 22: please use a different random port in the range 1024–49151
- Use the
curve25519protocol for authentication
aes-ctrciphers for data
- Enable Message Authentication Code MAC for CTR ciphers
- Allow ssh group ssh-user
- Enable key authentication
- Disable password access
Here we left the line
Port 22 for the first test on the new port. Once your tests are successful, we will remove this line.
Then, create the new SSH host key:
sudo ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ""
Create the SSH user group and add your user to it. This will prevent any connection to an unexpected user:
sudo groupadd ssh-user
sudo usermod -a -G ssh-user <username>
Note: you have to change
<username> by the user that you use on your server.
Before continuing, it is very important to open the newly configured SSH port in your firewall settings of your server (4321 in our example). For the first tests, you should let port 22 open. Once you successfully connected to the new port, you can safely close port 22.
Generate SSH keys
This guide is built around Azure and PuTTy, in case you want to use OpenSSH follow this guide.
Open PUTTYGen GUI:
Ed25519key type and click on Generate:
Enter a strong passphrase and save both private and public key in a secure folder. Copy the public key from the text box.
Go back to the PuTTy session on your server and open the
sudo nano ~/.ssh/authorized_keys
Paste the public key and save.
Let’s restart the
ssh service without killing the current session:
sudo kill -SIGHUP $(pgrep -f 'sshd -D')
Attention: you should not send a complete restart of
sshd for the moment, this would close your open session and potentially lose access to your server if something is set wrong.
Check that the
sshd service is still running correctly:
systemctl status sshd
Let’s load the private key in the Putty
Don’t forget to use your custom port, then connect:
Congratulation, your SSH connection is secure!
Don’t forget to remove port 22 from
sshd_config file and firewall, and check that no other key is allowed in