Very much a work in progress.

This site is very rough around the edges at the moment but will slowly take shape over time.

I primarily use this a s a journal or notebook for some of the projects I'm doing.  The primary goal at the moment is setting up a number of online servers for use with some webhosting and also to try and learn a bit about Linux and server operations as well as having a bit of fun.

This site will be undergoing many changes in the coming period and hopefully will be of some benefit to me and anyone who stumbles upon it.

The most popular way of connecting to servers is generally via SSH using software such as Putty.  Webmin installs the SSH Server as part of its install and performs the basic setup.  Now is the time to improve and secure the originall setup of the SSH server and connections.

By default the SSH server uses port 22 which is okay but vulnerable to many hack attempts, so its commonly suggested to change the port number to something unique.

This is easily done, especially with webmin installed:

Log into Webmin and go to Servers -> SSH Server module.

Click on the Networking option:

From this module you can change the port to whatever you like in this case I set it to 2468.  I also only use SSH v2 so I unchecked SSH v1.

Not shown in this picture, but I normally set the Time to wait for login to 60 seconds just to ensure it is not left open on the login screen.

Once the changes have been made then simply save them, Return to module index and Apply Changes.

The settings adjusted here are stored in the /etc/ssh/ssh_config file that can also be editted directly from a terminal.

For example:

vi /etc/ssh/ssh_config

Then you can change of add the following lines:

  • Protocol 2
  • Port 2468
  • LoginGraceTime 60

Restart the SSH_Server:

systemctl restart sshd

You can also adjust the config file direct from the Webmin module using the Edit Config Files option as well.

We need to adjust the firewall to allow access via the new port we configured.

To do this we can go to the Networking -> FirewallD option in Webmin.

This will show a list of current rules setup by default including a rule for the service SSH.   I deleted that rule and clicked add allowed port:

Simply enter the port number you set, make sure Network protocol is set to TCP and click Create.

Return to list of zones and click the Apply Configuration button.

Again the Webmin interface makes these sort of adjustments easy but of course you can use the terminal method to do the same thing:

firewall-cmd --add-port=2468/tcp --permanent
firewall-cmd --reload

Set up SSH keys

To further strengthen security I'm going to set up SSH keys for server login rather than rely simply on username and passwords.  

First thing is I need to go into the Servers - SSH Server module and click into the User SSH Key Setup.

ssh-keygen -t rsa

These settings will create keys for new users and set the type to rsa.  

For the current user I'll need to manually create a key.

To do this log into server and use :

ssh-keygen -t rsa

By default this will create 2 files in the .ssh directory in the user home folder, or the root folder if it was the root user creating the key for.

We need to change the permissions on this folder and files as well.

Using the filemanager in Webmin, need to change the permissions of the .ssh folder to 0700 and the key files should be 0644 and rename the public key (id_rsa.pub) to authorized_keys

Download the private key and this will be used on our client sytem. I download both keys and store them in a secure place. The authorized_keys file is the only file that should be left on the server.

I use Putty as my client SSH on Windows and Linux and so need to download the private key and convert before I can use it.  It may be different for other SSH clients but Putty requires the key file to be in its format.

To do this I download the private key, in this case its called id_rsa.  I then need to run this through the PuttyGen command to convert it.

In Windows I simply load the PuttyGen program, import the key and Save private key.  This converts and saves the key in a ppk file that Putty can use.

Then I load that into my SSH->Auth options in Putty for the server settings file and save that. 

Basically:

Generate the keys with ssh-keygen. 

Rename the public file to authorized_keys and set permissions to 0644 in the .ssh directory.  This will be in the user home directory or root directory if its for the root user.

Download the private key file and convert that in Putty to use in Putty, or whatever SSH client you use.

The final step I do is to change a final setting in the SSH_Server module.

In Servers -> SSH_Server -> Authentication , I change the Allow authentication by password ? - No.

Save that and Apply Changes.

I then verified I can log in via Putty etc.  This prevents anyone trying to hack into via SSH via uernames and passwords.

On Ivan, the second server I simply created a directory in the root directory called .ssh and gave it permissions of 0700

I then copied the authorized_keys file from henry to ivan.  This allows me to use the same keys for both servers.

Whether this is the best way I am not sure and will do some further research into this but its works for me.