In my last post I described how I decrypt my home server remotely with ssh. Today I would like to share how I like to lock down my debian based home server while it's running
Public Key Authentication with SSH
[Public key authentication]](https://www.ssh.com/ssh/public-key-authentication) is basic stuff when it comes to ssh. There not really any reason not to use public keys
Most guides do the generation on a client machine and then copy the public key up to the server. I did it backwards mainly because I originally was setting things up on a Windows machine. I could have used puttygen, but these days I find the linux terminal friendlier then most gui's... It's odd I know
ssh-keygen cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys
~/.ssh/id_rsa to your client PC.
Next check your ssh config:
sudo nano /etc/ssh/sshd_config
Ensure the following options are set:
PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes
Additionally You can add the line
AllowUsers **Your User Name Here** to restrict ssh to only a specific list of users.
Restart your sshd
sudo service sshd restart, then immediately attempt another ssh connection with your public key (if you are doing this over ssh). Your current ssh connection should not be affected.
Example ssh connection:
ssh -i /home/dugite/.ssh/serv_id_rsa email@example.com
TOTP via Google Authenticator PAM
Add TOTP to SUDO and SU
Use docker with UFW
Encrypted port Knocking with fwknop
fwknop -A tcp/22 -D example.tld --key-gen --use-hmac --save