Use Key-Based SSH Authentication

Password-based authentication is a weak point in server security because passwords can be guessed, stolen, or brute-forced. SSH key pairs provide a much stronger authentication method by using a public-private key system, making it significantly harder for attackers to gain access.

With SSH keys, your server only accepts logins from trusted devices that have the correct private key, eliminating reliance on passwords.

How to Set Up Key-Based Authentication

1. Generate an SSH key on your local machine:

   ssh-keygen -t rsa -b 4096

   • This command creates a public-private key pair for secure authentication.

   • By default, the keys are stored in ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key).

2. Copy your public key to the server:

   ssh-copy-id username@server_ip

   • This transfers your public key to the server, enabling passwordless authentication.

   • If ssh-copy-id is unavailable, manually copy the key:

     cat ~/.ssh/id_rsa.pub | ssh username@server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

3. Disable password-based authentication (optional but recommended):

   • Open the SSH configuration file:

     sudo nano /etc/ssh/sshd_config

   • Locate the line:

     PasswordAuthentication yes

   • Change it to:

     PasswordAuthentication no

   • Save and close the file.

4. Restart the SSH service to apply changes:

   sudo systemctl restart sshd

Best Practices for SSH Security:

✅ Protect your private key (~/.ssh/id_rsa) by keeping it secure and never sharing it.
✅ Use a passphrase when generating SSH keys to add an extra layer of security.
✅ Restrict SSH access by allowing only specific users or IP addresses in /etc/ssh/sshd_config.
✅ Change the default SSH port to make attacks less likely (e.g., use port 2222 instead of 22).

By enabling SSH key authentication and disabling password logins, you drastically improve server security, making unauthorized access nearly impossible.