Securing SSH Connection

Generating a Key and Connecting

Best way to protect your SSH server is to use encrypted keys. Download PuTTY and PuTTYGen. Run puttygen.exe, press 'Generate', move around your mouse cursor in the gray area. Enter a pass phrase, though don't forget it as you will need it, when connecting to your machine. You can also leave it blank, but it makes connection less secure albeit more convenient. Save public and private keys and don't close the window yet. Connect to your GNU/Linux machine with a user you wish to secure and create a file.

Now in you puttygen window copy the generated key up until a comment '=rsa-key-date', like this. Now you need to paste it in nano window so the whole key is in one long line, if you're connected via PuTTY, right click to paste the key, it should automatically paste it in one unbroken line:

Save, exit and change permissions:

Now to connect to your server from a Windows machine, launch PuTTY, enter remote address and port number. In the left pane navigate to "Connection/SSH" and in 'Auth' window browse for you private key you created earlier. You can save your session so it will load the key automatically.

On GNU/Linux it's much simplier. On client computer generate your keys by running 'ssh-keygen' command, save keys to default '~/.ssh' directory and run the following:

This will add your public key straight to the remote server's 'authorized_keys' file. If you want to connect, run this:

Some of those switches are not required if usernames match, or keys have already been authorized, or remote port is default (22). Also, add few lines to config file on your client machine, to keep connection alive:

And add:

Now you only need to change few settings in server's SSH daemon configuration file.

SSHd Configuration

Before you start fiddling with 'sshd_config', make an anti-lockout script to run periodically, especially if you're connecting to a server outside your physical reach. Create a file:

Paste the script:

Open up cron:

And add a rule:

Now every 10 minutes the 'shh_config' will reset to 'ssh_config.bak' and leave a copy of your work.

Next, backup SSHd configuration and open it up. Don't mistake 'sshd_config' for 'ssh_config'.

Find and change the following lines to:

From now on you will be able to connect to the machine only with RSA key. Also I would advise to disable root access on SSH and maximum authentication tries per session:

Save, exit and restart SSHd service.

If everything works, don't forget to delete or comment out antilockout script line in 'crontab'.

Using SSH Server As Proxy

If you have a remote shell you can set up PuTTY to act as a SOCKS5 proxy in just a few simple steps if you're using Windows.

On GNU/Linux it's even less complicated. Just run this:

Again, you might not need to change remote port or username, depending on your configuration. Add & at the end of the command to put it in the background. Proxy settings are the same: point to localhost:8080 and set to SOCKS5. Don't forget to set 'resolve DNS remotely' option. Enjoy browsing the web on unsafe public WiFis!

References