Introduction
If you just bought your VPS and are ready to self host, this guide is for you. In my opinion, tihs is one of the most important security improvements that you can do at your VPS.
With this security trick, you are tricky even if someone figures out the password of your VPS.
How to create a SSH key
Before you do this security trick, you need a SSH key. To create one is really simple, specially if you are using Linux. I will show you the basic steps to create a SSH key on Linux, Mac and Windows.
Linux
On linux, you can open a terminal and use the following command
ssh-keygen -trsaAfter using it, hit enter three times. There is no need to put a passphrase.
Once this is done, you can see your ssh key at /home/youruser/.ssh or ~/.ssh
You will have two files, id_rsa and ida_rsa.pub. They are the private key and the public key respectively. Make sure to keep both safe as this will be your key to access the VPS.
Mac
On Mac, it's similar. Open a software called "Console" or "Terminal" and type:
ssh-keygen -trsaAfter that, hit enter 3 times and your key will be on the home folder of the user, inside a folder that starts with a dot (.ssh).
Windows
Again, this is similar to the previous systems. On Windows, I'do recommend using PowerSheel. You can search in your programs for it. After opening powershell, type the following
ssh-keygen.exe -trsa
Hit enter 3 times as well and the SSH key will be available at C:\Users\YourUser\.ssh
Adding your SSH key inside the VPS
Now that you have your SSH key, you have to add it inside the VPS. Doing it is pretty simple, specially for linux.
Make sure to replace user with the actual user that you will use and VPSIP with the actual IP of your vps.
Linux
ssh-copy-id user@VPSIPWindows
Windows may be a bit tricky. You will need to manually copy your SSH key inside the allowed list.
So the first thing is to copy your SSH public key on Windows. Inside PowerShell, run this command:
Get-Content ~.ssh\id_rsa.pub | Set-Clipboard
You can also get it manually by going to the .ssh folder manually.
Once you have your SSH key, you will need to login at the VPS and paste your key at ~/.ssh/id_rsa.pub.
To login at the VPS, just use PowerShell normally:
ssh user@VPSIPThen, once you are in, you can open the file in this way:
nano ~.ssh\id_rsa.pubIf you don't have nano, you can also use vi, vim or install nano.
Inside this file, just paste your ssh key. Make sure to put it in just one line. It should look like this:
After that, save the file (ctrl +O) on nano and you are done on this step. Try to login using user@yourVPSIP and you should be happy to see that no password is required anymore.
Mac
For mac, things will be similar to linux as ssh-copy-id should be installed by default.
You can just copy your key to the VPS.
ssh-copy-id user@VPSIPAnd you should be all set. Make sure to test to see if you can login on the VPS without a password.
Disabling password authentication
So now that you have your SSH key added to your VPS, you can safely disable authentication by passwords.
To do so, you can login at your VPS:
ssh user@VPSIPAnd now you can edit the sshd_config file:
nano /etc/ssh/sshd_configInside this file, use ctrl+W on nano to search for the line "usePam". After you find it, make sure to uncomment if that is commented and set it to no:
Now search for the line "PasswordAuthentication". Uncomment it again if that is commented and set it to no:
Now you can just restart the SSHD service:
systemctl restart sshdDone! You are fully protected against brute force attacks now. Doesn't matters if you are still using the default ssh port (22) or if someone figures out your password. They can't login until they have your id_rsa file :)
If you enjoyed this article, you can share it your friends or subscribe to The Self Hosting Art to keep us motivated. Thank you for reading :)You can also help with Monero, Litecoin, Bitcoin or Nano: Monero:837X2SppmrrPkBbpsy9HQU1RFxKhsBcn6GdQv2wR5wGoiw8ctfh6Rt36xaszveZHysYA5KSDBr51y5YuQ3YCV23sJS9nhqW BTC:bc1qrvgz7dzzlfllulakw87vzvtf7s2u8t0sxpjehr Litecoin:ltc1qycz6ssg6xjxttuld6l6ulzqdr3y70rm8wv2g9p Nano:nano_1jmd6dg4dbem7f3wrojr7g45ioe6eb5et3iq11f8urfxe8qausxipup8bhua
