Secure Your SSH Connection
SSH access is the most standard attack vector for an online server. An incredible number of robots and hackers scan the default port 22 and gain access, with basic and elaborated credentials.
In this part, we are going to build a secure SSH connection with strong SSH keys. We will also change the default SSH port to mitigate scans and brute-force attempts.
We will use the curve25519-sha256 protocol (ECDH over Curve25519 with SHA2) for our keys here as this is considered the most secure nowadays.
This part is a modified version of bLd's guide using only Putty client to access server. If you are using Linux or MacOS, you can refer directly to the original guide to use Open SSH.
Configuration
Follow this guide step-by-step, try to understand every step explained in this guide.
Be very careful to never close your actual session until you’ve tested the connection with your new key. You could lose access to your SSH connection.
Connect to your server using PuTTy.
  1. 1.
    Open PuTTY
  2. 2.
    Typ in the field of ‘Host Name’ the IP of your server on Azure
  3. 3.
    The terminal will open and you can log in with your username and password.
Let’s start by moving our actual unsecured host keys into a backup directory:
1
cd /etc/ssh
2
sudo mkdir backup
3
sudo mv ssh_host_* ./backup/
Copied!
Open the ssh config file:
1
sudo nano /etc/ssh/ssh_config
Copied!
Add the following lines in the Host * section and save:
1
Host *
2
KexAlgorithms [email protected]
3
HostKeyAlgorithms [email protected],ssh-ed25519
4
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
6
PasswordAuthentication no
7
ChallengeResponseAuthentication no
8
PubkeyAuthentication yes
9
UseRoaming no
Copied!
Save CTRL+O your file and close the editor CTRL+X
Open the sshd config file:
1
sudo nano /etc/ssh/sshd_config
Copied!
In the following lines, you see that I used port 4321, this is just an example. You can use any random port inside the range of 1024 and 49151. Copy these lines in your file:
1
Port 22
2
Port 4321
3
KexAlgorithms [email protected]
4
HostKey /etc/ssh/ssh_host_ed25519_key
5
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
7
AllowGroups ssh-user
8
PubkeyAuthentication yes
9
PasswordAuthentication no
10
ChallengeResponseAuthentication no
Copied!
Save CTRL+O your file and close the editor CTRL+X . Now, what did you do? In details, by doing that, we tell the host to
  • Use the port instead 4321 of default 22: please use a different random port in the range 1024–49151
  • Use the curve25519 protocol for authentication
  • Use chacha20-poly1305 (preferred), aes-gmc and aes-ctr ciphers for data
  • Enable Message Authentication Code MAC for CTR ciphers
  • Allow ssh group ssh-user
  • Enable key authentication
  • Disable password access
We left here the line Port 22 for the first test on the new port. Once your tests are successful, we will remove this line.
Then, create the new SSH host key:
1
sudo ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ""
Copied!
Create the SSH user group and add your user to it. This will prevent any connection to an unexpected user:
1
sudo groupadd ssh-user
2
sudo usermod -a -G ssh-user <username>
Copied!
Note: you have to change <username> by the user, you use on your server.

Azure firewall

Before continuing, it is very important to open the newly configured SSH port in your firewall (4321 in our example). Go to the Azure portal and add this port:
For the first tests, you should let port 22 open. Once you successfully connected to the new port, you can safely close port 22.

Generate SSH keys

This guide is build around Azure and PuTTy, in case you want to use OpenSSH follow this guide.
Open PUTTYGen GUI:
Select the Ed25519key type and click on Generate:
Enter a strong passphrase and save both private and public key in a secure folder. Copy the public key from the text box.
Go back to the PuTTy session on your server and open the authorized_keysfile.
1
sudo nano ~/.ssh/authorized_keys
Copied!
Paste the public key and save.

Verify

Let’s restart the ssh service without killing the current session:
1
sudo kill -SIGHUP $(pgrep -f 'sshd -D')
Copied!
Attention: you should not send a complete restart of sshd for the moment, this would close your open session and potentially lose access to your server if something is set wrong.
Check that the sshd service is still running correctly:
1
systemctl status sshd
Copied!

Connect

Let’s load the private key in the Putty Auth section:
Don’t forget to use your custom port, then connect:
Congratulation, your SSH connection is secure!
Don’t forget to remove port 22 from sshd_config file and firewall, and check that no other key is allowed in authorized_keys file.