Securing Your Linode Compute Module With SSH Keys And Cloud Firewall

Introduction

I have began using SSH keys for all of the sshing that I do now due to one of my Linodes being hacked. (A huge headache to go through if it is hosting a website like mine) I now run all of my Linodes with password authentication disabled and I use SSH keys for login. An SSH key is an authentication type that creates a unique key for your computer. Instead of using a password to authenticate whether it is you or not, the Linode uses these keys to authenticate the specific computer you are using. If you are frequently using different computers to SSH into your Linode, this is not for you. But if you are like me and only use one or two different computers, this is a much more secure way versus password auth.

Creating A Key

On the computer you plan to use most frequently to SSH into your Linode, make sure you have SSH installed. Then, using this command create your key.

ssh-keygen -t ed25519

You will be asked where you want to save your key. The default directory is fine unless you want it somewhere else. Next add a passphrase if you want. This is only used as two-factor authentication for accessing your key. You will then be given output something like this.

Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\username/.ssh/id_ed25519.
Your public key has been saved in C:\Users\username/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:OIzc1yE7joL2Bzy8!gS0j8eGK7bYaH1FmF3sDuMeSj8 username@LOCAL-HOSTNAME

The key's randomart image is:
+--[ED25519 256]--+
|        .        |
|         o       |
|    . + + .      |
|   o B * = .     |
|   o= B S .      |
|   .=B O o       |
|  + =+% o        |
| *oo.O.E         |
|+.o+=o. .        |
+----[SHA256]-----+

Your key that you need will look like this.

SHA256:OIzc1yE7joL2Bzy8!gS0j8eGK7bYaH1FmF3sDuMeSj8 username@LOCAL-HOSTNAME

This key will enable you to SSH into anything that has your key added to it. Therefore this key doesn’t necessarily have to be kept secret. Obviously you don’t want to just go post it to your social media, but no one can really do anything with it. What you need to keep secret is your private key which is only stored on your computer.

Adding Your Key To Your Linode/Server

There are a couple different ways to do this. One is through the Linode dashboard, and the other is directly in the terminal.

Linode Dashboard

I will cover this one briefly as it is very easy. In your Linode dashboard, in the top right corner by your username click the down arrow. Click on SSH Keys. Then click Add An SSH Key. Label it whatever you want then paste your public key like shown above in the bottom box and click Add Key. Next time you set up a Linode and get to the SSH keys, that one will pop up and you can click the checkbox to automatically have it added to your Linode.

Manually Through CLI

SSH regularly into your Linode/Server. Enter the first line to create a directory to store the keys. The next line creates a file and opens it with nano to store our keys in.

mkdir -p ~/.ssh
nano ~/.ssh/authorized_keys

When the editor opens, paste your public key into it. Next change the file permissions with these commands.

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Now close your SSH session, and reconnect. You should be prompted for your passphrase if you created one when creating your key. After you enter it, you should be in!

The Next Step In Security

When my Linode was compromised, it was through a brute force attack. I’m fairly certain they never gained access. Basically with this type of attack, the hacker creates a program that attempts to SSH into your server multiple times a second using random usernames and passwords in hopes of gaining access. My SSH log files were filled with thousands probably hundreds of thousands of login attempts. One step in preventing this is setting up SSH keys like we did, then disabling password authentication. This way only your computer with the correct SSH key on it can SSH into your server. To disable SSH password auth, you will need to be SSHed into it. Run the following commands

cd /etc/ssh
sudo nano sshd_config

This will open the SSH config file. Scroll down until you see the Passwordauthentication yes line. Change the yes to no. Then hit CTRL+X, Y, and enter. Password auth is now disabled.

password-auth

Firewalls

Linode has a really cool feature of setting up free cloud firewalls. You can easily set up a firewall on your dashboard and add any Linode to it. This is a brief example of how to set one up.

First open the Firewalls tab.

firewall-setup-1

Next enter a label and choose your Linode and click Create Firewall.

firewall-setup-2

The first step is to change the default inbound and outbound policies to drop any traffic. Then you can add rules to accept any traffic you need. For example, to use SSH you will need to allow port 22. For HTTPS port 443, and HTTP port 80. (Most of the time those are the ports used.) I always leave everything disabled and just add a rule when I want to SSH into it. (Of course I have ports 443 and 80 open for this website.) In this screenshot you can see that the policies are set to drop incoming connections.

firewall-setup-3

To allow a port for example port 22 for SSH as I am doing here just select your preset and click Add Rule at the bottom. The click save on the main page to update your rules.

firewall-setup-4

Done!

You have now taken steps to the safekeeping of your Linode! There are other things you can do but this is the baseline! Thanks for reading!

, , ,

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *