In the previous post: https://steemit.com/it/@lynor/raspberry-pi-server-part-0-setup-and-ssh-access
a rasperry has been set-up and prepared for easy ssh access using a password.
Now imagine if we open up this raspberry to the wide world. Anybody could connect to it and just try out as many passwords as they please until they find a way to login and take over our nice little project.
For this reason we will generate our own ssh-keys, deactivate password login so only users with authorized keys can login, and setup fail2ban, a small service which keeps track of who is trying to login to our system and blocks connections made from IP-addresses which fail too many times
Let's get started!
Configure SSH-only access
Setup SSH Keys
The steps to take are described perfectly well on this page:
https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/
Still, I will describe them here once more just in case the website disappears some day.
start your git bash (or any other terminal that you will use), and let us use the ssh-keygen
command to generate a private and public key pair which we will use for later access.
type:
ssh-keygen -t rsa -b 4096 -C "<your_comment>"
you can replace <your_comment> with anything, it is just a comment that should helpyou identify your ssh public key if it is copied into the same file with many other ssh public keys.
4096 rsa key size encryption has become popular lately, but you can use other sizes as well. an interesting short article about that can be found here: https://blog.josefsson.org/2016/11/03/why-i-dont-use-2048-or-4096-rsa-key-sizes/
Eventually you will be asked where to save the files, just press enter to save it in your .ssh/ folder in your home directory.
Finally, you will be asked to give a password for the ssh private key file. This is just a password which enables you to use the private key file in case it gets stolen.
When all is done you should get a randomart image of your key:
Just click enter, and you can jump into the folder with your ssh keys with
cd ~/.ssh
and check the files:
ls
You should see an id_rsa and id_rsa.pub
Now, you have to add this key to the authorized_keys file on your raspberry, so your raspberry will recognize you, when you try to login based on your ssh key.
There are several ways to do it, an easy way would be option 1:
ssh-copy-id [email protected]
This will copy your public key onto the server.
Option 2: I like to do it like this, even though it might seem more complicated:
cat ~/.ssh/id_rsa.pub | ssh [email protected] 'cat >> .ssh/authorized_keys'
This means that:
- The content of your public key (cat ~/.ssh/id_rsa.pub)
- will be taken (|)
- and after login to your raspberry (ssh [email protected])
- a command will be executed to append the that content to the end of your authorized_keys file ('cat >> .ssh/authorized_keys')
Now if we ssh to the server, only the password (if any was set) for the public key is asked, but not the passphrase for the user pi.
so let's check that file:
startup yout terminal or git bash (or cygwin or ...) and ssh into your raspberry
ssh pi@<ip-address>
replace <ip-address>
with your raspberry pi's ip address. In my case it was: 192.168.0.136
Now output the content of the authorized_keys file with
cat ~/.ssh/authorized_keys
At the end of the public key you should find your comment which you added when generating the ssh keys.
Congrats, now you have configured ssh-access via public and private keys.
Now let us deactivate the password login, to make sure that really only you, with the only real private key, can login to your raspberry.
deactivate password login
For this, we have to edit a config file of the ssh daemon.
There are mainly two editors available, nano and vi. for now let us use the nano editor because it is simpler.
To open the config file type:
sudo nano /etc/ssh/sshd_config
In this file there is an entry with
#PasswordAuthentication yes
change it to
#PasswordAuthentication no
and press CTRL-X and ENTER to save and close the editor.
Now nobody can login as the user pi anymore, except they have one of the right keys inserted in the authorized_keys file
there is more info about configuring ssh on http://raspi.tv/2012/how-to-set-up-keys-and-disable-password-login-for-ssh-on-your-raspberry-pi
after all is set, restart the ssh daemon with:
sudo /etc/init.d/ssh restart
Or simply restart the raspberry with
sudo reboot
In both cases you will have to reconnect with the raspberry,
fail2ban
There is a very nice blog post which lays out all the necessary steps:
http://kamilslab.com/2016/12/11/how-to-install-fail2ban-on-the-raspberry-pi/
As before, I will describe all the steps once more on this page:
install fail2ban
sudo apt-get update
sudo apt-get install fail2ban
configure fail2ban
I have a slightly changed configuration file than suggested on the website
start editing your local fail2ban config file with:
sudo nano /etc/fail2ban/jail.local
[ssh]
sudo nano /etc/fail2ban/jail.local
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
bantime = -1
banaction = iptables-allports
findtime = 86400
maxretry = 3
usedns = warn
Explanations:
- logpath: this path is important because we will watch the changes of this file. It shows us all authorized uses of command and login attempts on the rapsberry.
- bantime = -1
this means the after exceed the maximum limit of failed login attempts, and IP address is banned forever. - findtime = 86400
- maxretry = 3
Over a period of 24 hours, at most 3 login attempts are allowed to fail before permanently banning an IP address.
After setting the config fail, restart fail2ban
sudo service fail2ban restart
From now on the lgoin attempts are watched on.
If all went fine, this is generally a good start for a safe setup.
In general, now the port 22 can be opener on your router, with port forwarding (in my case port:22) directly to your raspberry.
Next time we will setup our terminal tool: tmux
Thank you!
Cheers!
It looks like you put a lot of effort into this guide. Followed
Congratulations @lynor! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Award for the number of upvotes received
Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOP
Guten morgen.
Depending on what your outlook is, here some tips I've gathered:
Change the last two tags to "programming" and "steemdev". In the other post too.
The posts in tag foobar rotate through the feed
https://steemit.com/created/foobar
E.g.
https://steemit.com/created/programming
You see all used tage on the startpage on the right, or here:
https://steemit.com/tags
Everything over 500 posts on this list has a very fast rotation time, though. It's a bit of a steep curve to be seen, I suppose.
And you can do three "-" for a seperating line, but maybe that was on purpose.
Oh, und schreib einen introduceyourself post (oder übersetzte den englischen und reposte) mit dem "deutsch" und "austria" tag
https://steemit.com/created/deutsch
Thanks!
Danke für die ganzen Tipps!!!
np.
Auf den anderen posts kannst du die hinteren 4 tags auch noch add/ändern.
Diese Woche solidity outline email?