md/ssh_server/README.md

# SSH Server 
Walkthrough of setting up and securing SSH Server.

## Table of Contents
- [Step 1 - Upgrading the Server](#step-1---upgrading-the-server)
- [Step 2 - Creating a new User](#step-2---creating-a-new-user)
- [Step 3 - Removing Root Login](#step-3---removing-root-login)
- [Step 4 - Recommended - SSH Keys](#step-4---ssh-keys)
- [Step 5 - Copying The Public Key to the Sever](#step-5---copying-the-public-key-to-the-server)
- [Step 6 - Disabling Password Authentication](#step-6---disabling-password-authentication)
- [Step 7 - Setting up UFW](#step-7---setting-up-ufw)
- [Step 8 - Setting up Fail2ban](#step-8---setting-up-fail2ban)
- [Resources/Credits](#resources)


### Step 1 - Upgrading the Server.
First thing we should do is update and upgrade. 

`sudo apt update`<br>
`sudo apt upgrade`<br>
`sudo apt autoremove`<br>

### Step 2 - Creating A New User.
Now we need to create a user so we can login via ssh. 

`sudo useradd -m newusername`<br>
`sudo passwd newusername`<br>

### Step 3 - Removing Root Login.
Next we should remove root login. 

`sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config`<br>
`sudo systemctl restart sshd`<br>

### Step 4 - Creating SSH Keys

While this step is optional it is highly recommended. If you skip this step, you must set-up fail2ban as per step 7. Here, the first goal is to create a key pair on the client machine, usually your computer.

`ssh-keygen`

Enter to save the key pair into the .ssh/ subdirectory in your home directory, or specify an alternate path. After you optionally may enter a secure passphrase, which is highly recommended. A passphrase adds an additional layer of security to prevent unauthorized users from logging in. 

### Step 5 - Copying the Public Key to the Server.
The quickest way to copy your public key to the server is to use a utility called ssh-copy-id. 

`ssh-copy-id username@remote_host`

If you don't have ssh-copy-id you can use cat and ssh to manually copy it.

`cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys`

### Step 6 - Disabling Password Authentication 
Now with a non-root user and ssh keys we can finally disable password authentication for our ssh server.

`sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config`<br>
`sudo systemctl restart sshd`

### Step 7 - Setting up UFW
Install UFW, by default there are no rules set. We should allow SSH to prevent locking ourselves out.<br>
`sudo apt install ufw`<br>
`sudo ufw allow ssh`<br>

After confirming your have a rule to allow incoming SSH connections, you can enable the firewall with:<br>
`sudo ufw enable`<br>

### Step 8 - Setting up Fail2ban 
If you didn't follow step 4, the next step is a must to prevent brute force password attacks on your server.

`sudo apt install fail2ban`

With fail2ban installed we should now set up our jail before we turn the service on. There are two jails, on gets updated by fail2ban, and the other (/etc/fail2ban/jail.local) is the one we configure.

[Here is an example SSH-Fail2ban Jail](./resources/jail.local)<br>
With our jail in place we can now enable fail2ban as service so it will run on startup.<br>
`sudo systemctl enable fail2ban.service`<br>
`sudo systemctl start fail2ban.service`<br>
`sudo systemctl status fail2ban.service`<br>


### Resources
I found these resources helpful.<br>
[Digital Ocean - SSH Essentials](./resources/DigitalOcean_SSH_Essentials.md)<br>
[Digital Ocean - SSH Keys](./resources/DigitalOcean_SSH_Keys.md)<br>
[Github - SSH Agent](./resources/Github_SSH_Agent.md)<br>
[Setting up UFW](./resources/UFW_Setup.md)
added ssh guide 2024-11-03 22:06:31 +00:00			`# SSH Server`
			`Walkthrough of setting up and securing SSH Server.`

			`## Table of Contents`
			`- [Step 1 - Upgrading the Server](#step-1---upgrading-the-server)`
			`- [Step 2 - Creating a new User](#step-2---creating-a-new-user)`
			`- [Step 3 - Removing Root Login](#step-3---removing-root-login)`
			`- [Step 4 - Recommended - SSH Keys](#step-4---ssh-keys)`
			`- [Step 5 - Copying The Public Key to the Sever](#step-5---copying-the-public-key-to-the-server)`
			`- [Step 6 - Disabling Password Authentication](#step-6---disabling-password-authentication)`
			`- [Step 7 - Setting up UFW](#step-7---setting-up-ufw)`
			`- [Step 8 - Setting up Fail2ban](#step-8---setting-up-fail2ban)`
			`- [Resources/Credits](#resources)`


			`### Step 1 - Upgrading the Server.`
			`First thing we should do is update and upgrade.`

			`sudo apt update`<br>
			`sudo apt upgrade`<br>
			`sudo apt autoremove`<br>

			`### Step 2 - Creating A New User.`
			`Now we need to create a user so we can login via ssh.`

			`sudo useradd -m newusername`<br>
			`sudo passwd newusername`<br>

			`### Step 3 - Removing Root Login.`
			`Next we should remove root login.`

			`sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config`<br>
			`sudo systemctl restart sshd`<br>

			`### Step 4 - Creating SSH Keys`

			`While this step is optional it is highly recommended. If you skip this step, you must set-up fail2ban as per step 7. Here, the first goal is to create a key pair on the client machine, usually your computer.`

			`ssh-keygen`

			`Enter to save the key pair into the .ssh/ subdirectory in your home directory, or specify an alternate path. After you optionally may enter a secure passphrase, which is highly recommended. A passphrase adds an additional layer of security to prevent unauthorized users from logging in.`

			`### Step 5 - Copying the Public Key to the Server.`
			`The quickest way to copy your public key to the server is to use a utility called ssh-copy-id.`

			`ssh-copy-id username@remote_host`

			`If you don't have ssh-copy-id you can use cat and ssh to manually copy it.`

			`cat ~/.ssh/id_rsa.pub \| ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys`

			`### Step 6 - Disabling Password Authentication`
			`Now with a non-root user and ssh keys we can finally disable password authentication for our ssh server.`

			`sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config`<br>
			`sudo systemctl restart sshd`

			`### Step 7 - Setting up UFW`
			`Install UFW, by default there are no rules set. We should allow SSH to prevent locking ourselves out.<br>`
			`sudo apt install ufw`<br>
			`sudo ufw allow ssh`<br>

			`After confirming your have a rule to allow incoming SSH connections, you can enable the firewall with:<br>`
			`sudo ufw enable`<br>

			`### Step 8 - Setting up Fail2ban`
			`If you didn't follow step 4, the next step is a must to prevent brute force password attacks on your server.`

			`sudo apt install fail2ban`

			`With fail2ban installed we should now set up our jail before we turn the service on. There are two jails, on gets updated by fail2ban, and the other (/etc/fail2ban/jail.local) is the one we configure.`

			`[Here is an example SSH-Fail2ban Jail](./resources/jail.local)<br>`
			`With our jail in place we can now enable fail2ban as service so it will run on startup.<br>`
			`sudo systemctl enable fail2ban.service`<br>
			`sudo systemctl start fail2ban.service`<br>
			`sudo systemctl status fail2ban.service`<br>


			`### Resources`
			`I found these resources helpful.<br>`
			`[Digital Ocean - SSH Essentials](./resources/DigitalOcean_SSH_Essentials.md)<br>`
			`[Digital Ocean - SSH Keys](./resources/DigitalOcean_SSH_Keys.md)<br>`
			`[Github - SSH Agent](./resources/Github_SSH_Agent.md)<br>`
			`[Setting up UFW](./resources/UFW_Setup.md)`