SSH Key Security: ed25519, no passwords, and fail2ban

TL;DR

To secure your SSH access on Debian 13, follow these key steps:

1. Generate ed25519 SSH Keys: Use the ed25519 algorithm for stronger security. Avoid using passwords for your SSH keys to streamline access.

   ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""  # Generate key without a passphrase
   

2. Deploy Your Public Key: Copy your public key to the server’s authorized keys.

   ssh-copy-id user@your-server-ip  # Replace 'user' and 'your-server-ip' accordingly
   

3. Configure SSH Daemon: Edit the SSH configuration file to enhance security.

   sudo nano /etc/ssh/sshd_config
   

   Ensure the following settings are in place:

   PermitRootLogin no            # Disable root login
   PasswordAuthentication no      # Disable password authentication
   PubkeyAuthentication yes       # Enable public key authentication
   

   After editing, restart the SSH service:

   sudo systemctl restart ssh  # Apply changes
   

4. Install and Configure Fail2Ban: Protect against brute-force attacks by installing Fail2Ban.

   sudo apt update && sudo apt install fail2ban  # Install Fail2Ban
   

   Create a local configuration file:

   sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local  # Copy default config
   sudo nano /etc/fail2ban/jail.local  # Edit local config
   

   Enable the SSH jail by ensuring the following lines are set:

   [sshd]
   enabled = true
   

   Start and enable Fail2Ban:

   sudo systemctl start fail2ban  # Start Fail2Ban service
   sudo systemctl enable fail2ban  # Enable on boot
   

5. Regularly Monitor Logs: Check logs for any suspicious activity.

   sudo tail -f /var/log/auth.log  # Monitor authentication logs
   

By following these steps, you can significantly enhance the security of your SSH access on Debian 13.

Understanding SSH Key Types

SSH (Secure Shell) keys are a critical component of secure remote access to your Debian 13 server. Understanding the different types of SSH keys is essential for choosing the right one for your security needs. The most commonly used key types are RSA, DSA, ECDSA, and Ed25519.

RSA: RSA keys have been a standard for many years. They can be generated with various key sizes, but a minimum of 2048 bits is recommended for security. However, larger keys can lead to slower performance.

ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa  # Generate a 2048-bit RSA key

DSA: DSA keys are less commonly used today and are limited to a maximum of 1024 bits, which is considered insecure. It is advisable to avoid DSA keys entirely.

ECDSA: ECDSA (Elliptic Curve Digital Signature Algorithm) keys offer better security with shorter key lengths. A 256-bit ECDSA key is generally considered secure.

ssh-keygen -t ecdsa -b 256 -f ~/.ssh/id_ecdsa  # Generate a 256-bit ECDSA key

Ed25519: Ed25519 is a modern key type that provides high security with excellent performance. It is recommended for most users due to its resistance to various attacks and smaller key sizes.

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519  # Generate an Ed25519 key

Caution: Always use a secure passphrase for your SSH keys unless you are using them in an automated environment where a passphrase would hinder functionality. If you choose to use keys without passwords, ensure that your private key is stored securely and has the correct permissions.

chmod 600 ~/.ssh/id_ed25519  # Set permissions to read/write for the user only

By selecting the appropriate key type and following best practices, you can significantly enhance the security of your SSH connections on Debian 13.

Generating and Deploying ed25519 SSH Keys

To generate and deploy ed25519 SSH keys on your Debian 13 server, follow these steps:

1. Generate the SSH Key Pair: Use the ssh-keygen command to create a new ed25519 key pair. This key type is recommended for its security and performance.

   ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""  # Generate ed25519 key without a passphrase
   

   • -t ed25519: Specifies the key type.
   • -f ~/.ssh/id_ed25519: Sets the file name for the key.
   • -N "": Indicates no passphrase for the key.

   Caution: While using a key without a passphrase simplifies automation, it reduces security. Ensure that your private key file is stored securely and that access is restricted.

2. Set Permissions: After generating the keys, set the appropriate permissions to protect your private key.

   chmod 700 ~/.ssh  # Ensure the .ssh directory is only accessible by the user
   chmod 600 ~/.ssh/id_ed25519  # Restrict access to the private key
   

3. Deploy the Public Key: Copy the public key to the server you wish to access. Use ssh-copy-id for convenience.

   ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remote-server  # Replace 'user' and 'remote-server' accordingly
   

   This command appends your public key to the ~/.ssh/authorized_keys file on the remote server.

4. Verify SSH Access: Test your SSH access to ensure that the key-based authentication works as expected.

   ssh -i ~/.ssh/id_ed25519 user@remote-server  # Connect using the private key
   

5. Disable Password Authentication: For enhanced security, consider disabling password authentication in the SSH configuration file.

   sudo nano /etc/ssh/sshd_config  # Edit the SSH configuration
   

   Change or add the following line:

   PasswordAuthentication no  # Disable password authentication
   

   After making changes, restart the SSH service:

   sudo systemctl restart ssh  # Apply the changes
   

By following these steps, you will have securely generated and deployed ed25519 SSH keys on your Debian 13 server.

Disabling Password Authentication

To enhance the security of your SSH server, it is advisable to disable password authentication entirely. This ensures that only users with valid SSH keys can access the server, significantly reducing the risk of brute-force attacks.

First, you need to edit the SSH configuration file. Open the file using your preferred text editor:

sudo nano /etc/ssh/sshd_config  # Open the SSH configuration file

Locate the following lines in the configuration file:

#PasswordAuthentication yes
#ChallengeResponseAuthentication yes

Uncomment these lines and change their values to no:

PasswordAuthentication no  # Disable password authentication
ChallengeResponseAuthentication no  # Disable challenge-response authentication

This configuration ensures that SSH will not accept password-based logins. After making these changes, save and exit the editor (in nano, press CTRL + X, then Y, and Enter).

Next, it is crucial to restart the SSH service for the changes to take effect:

sudo systemctl restart ssh  # Restart the SSH service

Caution: Before disabling password authentication, ensure that you have successfully set up SSH key authentication and can access the server using your SSH key. If you disable password authentication without having a working SSH key, you may lock yourself out of the server.

To further enhance security, consider setting the following options in the same configuration file:

PermitRootLogin no  # Disable root login via SSH
UsePAM no  # Disable Pluggable Authentication Modules

These additional settings help to secure your server further by preventing root access and unnecessary authentication methods. After making these changes, remember to restart the SSH service again.

Installing and Configuring Fail2ban

To install and configure Fail2ban on your Debian 13 server, follow these steps:

1. Install Fail2ban: Begin by updating your package list and installing Fail2ban.

   sudo apt update  # Update package list
   sudo apt install fail2ban  # Install Fail2ban
   

2. Configure Fail2ban: Create a local configuration file to override the default settings without modifying the original configuration.

   sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local  # Copy default config
   

   Open the new configuration file in your preferred text editor:

   sudo nano /etc/fail2ban/jail.local  # Edit the local config
   

   In this file, enable the SSH jail by ensuring the following lines are present and uncommented:

   [sshd]
   enabled = true  # Enable SSH protection
   port = ssh  # Use the default SSH port (22)
   filter = sshd  # Use the SSH filter
   logpath = /var/log/auth.log  # Path to the log file
   maxretry = 5  # Number of allowed retries before banning
   bantime = 1h  # Duration of the ban (1 hour)
   

   Caution: Adjust maxretry and bantime according to your security needs. Setting maxretry too low may lead to false positives.

3. Start and Enable Fail2ban: After configuring, start the Fail2ban service and enable it to run on boot.

   sudo systemctl start fail2ban  # Start Fail2ban service
   sudo systemctl enable fail2ban  # Enable Fail2ban on boot
   

4. Check Fail2ban Status: Verify that Fail2ban is running and check the status of the SSH jail.

   sudo systemctl status fail2ban  # Check Fail2ban service status
   sudo fail2ban-client status sshd  # Check status of the SSH jail
   

By following these steps, you will have successfully installed and configured Fail2ban to enhance the security of your SSH service on Debian 13.

Verification

To ensure that your SSH key setup is functioning correctly and securely, follow these verification steps:

1. Check SSH Key Authentication: First, confirm that your SSH key is being used for authentication. Attempt to connect to your server using SSH with verbose output to see the authentication process.

   ssh -v user@your_server_ip
   

   Look for lines indicating that your public key is being offered and accepted. If you see “Offering public key” and “Authentication succeeded,” your key is working correctly.

2. Verify SSH Configuration: Ensure that your SSH daemon is configured to use the correct settings. Check the /etc/ssh/sshd_config file for the following parameters:

   sudo grep -E 'PubkeyAuthentication|PasswordAuthentication|ChallengeResponseAuthentication' /etc/ssh/sshd_config
   

   You should see:

   PubkeyAuthentication yes
   PasswordAuthentication no
   ChallengeResponseAuthentication no
   

   If any of these settings are incorrect, edit the file and restart the SSH service:

   sudo systemctl restart ssh
   

3. Test Fail2ban Functionality: To verify that Fail2ban is actively protecting your SSH service, check its status:

   sudo fail2ban-client status sshd
   

   This command will show you the number of currently banned IPs and the jail status. Ensure that it is running and actively monitoring.

4. Review Logs for Unauthorized Access Attempts: Regularly check your SSH logs for any unauthorized access attempts. Use the following command to view the last 100 entries:

   sudo tail -n 100 /var/log/auth.log | grep sshd
   

   Look for any failed login attempts or suspicious activity. If you find any, consider adjusting your Fail2ban settings or adding additional security measures.

By following these verification steps, you can ensure that your SSH key setup is secure and functioning as intended. Always maintain regular checks to stay ahead of potential threats.

• Linux
• Security
• Smb