Join the community today
Become a Member

SSL Security Sysadmin Ed25519 SSH Key and Changing SSH port?

Discussion in 'System Administration' started by Mrbo, Sep 28, 2018.

  1. Mrbo

    Mrbo Member

    65
    3
    8
    Jun 17, 2018
    Ratings:
    +3
    Local Time:
    3:11 AM
    I just setup an RSA key for my server and then came over this article. So my question is, do you reccomend switching over to Ed25519 based algorithm?
    Upgrade Your SSH Key to Ed25519

    And I also saw some people talking about changing the default SSH 22 port to something else <1024, do you recommend that?

    And a question regarding the Letsencrypt SSL certificate, do I have to update it manual or does it renew itself?
     
  2. eva2000

    eva2000 Administrator Staff Member

    37,237
    8,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,524
    Local Time:
    6:11 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yes you can do that via centmin.sh menu option 16 it will prompt you for existing sshd port number so enter 22, then prompt you for desired new sshd port number and automatically configure it for sshd and csf firewall
    it auto renews via cronjob. To list your cronjobs
    Code (Text):
    crontab -l
    

    auto renewal cronjob
    Code (Text):
    27 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    

    For CentOS 7, ED25519 based SSH key should work fine, I've tested it. I usually use ECDSA SSH keys instead of RSA SSH keys just for wider compatibility.

    Before you look into ssh key only (+disable password authentication), make sure your web host is setup with features that allow you to regain access to your server if you ever loose your ssh key's private key and that you know how to use those features to regain access.

    If you don't know how to use those features, setup a test instance/VPS with that web host and test it out. If you're with web host with hourly billed VPSes like Linode, DigitalOcean, and Vultr then it is relatively cheap to test out for a few hours on a test VPS.

    Here's a example text you can use to ask your web host to be sure

    There's numerous how to use ssh key login guides online, but not many go beyond that to explain what to do if you loose your ssh private key and are unable to use password logins. And that can come down to your web host and what measures they have in place i.e. out of band console access etc and recovery ISO/cds available.

    And some relevant guides with different web hosts about setting up SSH key authentication and also about recovery as well general need to know info.

    DigitalOcean



    Has out of band console access

    Linode



    Has out of band console access called Lish

    Vultr



    Has out of band console access

    OVH


    RamNode


    Others


     
    • Like Like x 1
  3. Mrbo

    Mrbo Member

    65
    3
    8
    Jun 17, 2018
    Ratings:
    +3
    Local Time:
    3:11 AM
    Code:
    [19:06][[email protected] ~]# 23 */36 * * * /usr/local/src/centminmod/tools/csfcf.sh auto >/dev/null 2>&1
    [19:10][[email protected] ~]# crontab -l
    13 23 * * * /usr/local/src/centminmod/tools/autoprotect.sh >/dev/null 2>&1
    0 */4 * * * /usr/bin/cminfo_updater 2>/dev/null
    [19:10][[email protected] ~]# 27 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    -bash: 27: command not found
    
    I added the cloudflare cronjob but its not there, and neither is the centos nightly updates, and I think I did something wrong for the acme cronjob.
     
    Last edited: Sep 28, 2018
  4. Mrbo

    Mrbo Member

    65
    3
    8
    Jun 17, 2018
    Ratings:
    +3
    Local Time:
    3:11 AM
    Is there a list of avaliable / safe ports to use?
     
  5. eva2000

    eva2000 Administrator Staff Member

    37,237
    8,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,524
    Local Time:
    6:11 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    for ports below 1024 you can see what some services use for ports first at CSF - Centmin Mod LEMP stack CSF Firewall default port listing but centmin.sh menu option 16 actually checks if your desired port is already in use and lets you know, so you won't accidentally choose a new sshd port that an existing running service uses or if already defined in CSF Firewall's whitelisted ports list

    need to use linux text editor to add cronjob

    use crontab -l to view current cronjobs and crontab -e command to invoke nano text editor see guide at HowTo: Add Jobs To cron Under Linux or UNIX?

    example of out of box centmin mod setup cronjobs excluding wordpress wp-cli
    Code (Text):
    crontab -l
    13 23 * * * /usr/local/src/centminmod/tools/autoprotect.sh >/dev/null 2>&1
    0 */4 * * * /usr/bin/cminfo_updater 2>/dev/null
    
     
  6. Mrbo

    Mrbo Member

    65
    3
    8
    Jun 17, 2018
    Ratings:
    +3
    Local Time:
    3:11 AM
    I made a mistake and now I cant seem to revert it.
    The console came up slowly so I typed exit and it set the ports to exit and now it doesnt want to revert when I type in a new port. Can I invoke any of the ssh backups?

    Code:
    * Setup sshd
    *************************************************
    --------------------------
    backup sshd_config
    --------------------------
    cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config-backup
    --------------------------
    change ssh port
    --------------------------
    You'll be asked what your current default SSH port is (default = 22 or exit).
    
    Then asked which SSH port number you want to change to.
    New SSH port should be a number below and less than <1024.
    
    Your current default SSH port is: exit
    or exit
    
    Enter existing SSH port number (default = 22 for fresh installs): exit
    
    Enter the SSH port number you want to change to: 77
    
    Post 77 configured in /etc/ssh/sshd_config
    
    iptables -I INPUT -p tcp --dport exit -j REJECT
    iptables v1.4.21: invalid port/service `exit' specified
    Try `iptables -h' or 'iptables --help' for more information.
    iptables -I INPUT -p tcp --dport 77 -j ACCEPT
    systemctl restart iptables.service
    systemctl restart csf.service
    Flushing chain `INPUT'
    Flushing chain `FORWARD'
    Flushing chain `OUTPUT'
    Flushing chain `ALLOWDYNIN'
    Flushing chain `ALLOWDYNOUT'
    Flushing chain `ALLOWIN'
    Flushing chain `ALLOWOUT'
    Flushing chain `DENYIN'
    Flushing chain `DENYOUT'
    Flushing chain `INVALID'
    
     
  7. eva2000

    eva2000 Administrator Staff Member

    37,237
    8,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,524
    Local Time:
    6:11 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    you'd need to use linux text editor like nano or vim to edit /etc/csf/csf.conf variables for TCP_IN and TCP6_IN and change the exit word back to 22 in comma separated list if it exists i.e. 20,21,exit,25 but if exit doesn't exist then and is still showing as 22 in 20,21,22,25 listing, then proceed to the step to revert sshd_config below

    Code (Text):
    TCP_IN = "20,21,22,25,53,80,8081,110,143,161,443,465,587,993,995,1110,1186,1194,81,9418,30001:50011"
    TCP6_IN = "20,21,22,25,53,80,110,143,161,443,465,587,993,995,1110,1186,1194,81,9418,30001:50011"
    

    then restart CSF Firewall service
    Code (Text):
    csf -ra
    

    then you can revert the backup that was made and grep verify Port is set back to default i.e. Port 22 or #Port 22
    Code (Text):
    diff -u /etc/ssh/sshd_config /etc/ssh/sshd_config-backup
    cp -af /etc/ssh/sshd_config-backup /etc/ssh/sshd_config
    grep Port /etc/ssh/sshd_config
    service sshd restart
    


    Easiest way to edit configuration or any files on your server is via logging into your server via ssh and directly editing them using nano or vim linux text editors.

    For nano which you can read up more about nano here and here. For vim text editor read here and here and thread at WebPerf - Popular Vim Commands – a Comprehensive Vim Cheatsheet

    Also there's numerous online how to use guides for nano and vim you can search for via google :)
     
    • Like Like x 1
  8. Mrbo

    Mrbo Member

    65
    3
    8
    Jun 17, 2018
    Ratings:
    +3
    Local Time:
    3:11 AM
    Thanks a lot George! Man Im a computer geek, but this is a whole different ballgame for me, my brain is working on overload, but I love it! :)
     
  9. Mrbo

    Mrbo Member

    65
    3
    8
    Jun 17, 2018
    Ratings:
    +3
    Local Time:
    3:11 AM
    I followed two guides to create both Ed25519 and RSA keys but for some reason it doesnt work. This is what I did

    Code:
    ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519
    ssh-keygen -t rsa -b 4096 -o -a 100 -f ~/.ssh/id_rsa_legacy
    ssh-add ~/.ssh/id_rsa_legacy ~/.ssh/id_ed25519
    Then I downloaded the files, and tried to add them to the SSH clients, but when I try to login with either of them I get: "Server refused our key"

    Edit: I got it working with this guide instead. And pasting the keyphrase in the authorized_keys instead. I dont know what the difference is but it works.
     
    Last edited: Sep 28, 2018
  10. eva2000

    eva2000 Administrator Staff Member

    37,237
    8,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,524
    Local Time:
    6:11 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
..