I’ve needed to set up multiple servers for some of my projects and SSH in to do various configuration, and I thought I’d jot down some notes I found helpful.

I use SSH Keys

I prefer to use SSH keys over passwords for a few reasons- mostly because I think they’re safer (nice discussion here) and once configured, they’re also very easy to use and flexible.

1. SSH User on Server

Ideally you’ll disable SSH root access and avoid using root. Instead, you’ll want to create a new user, give user the permissions you’d like (e.g. allow su to root maybe but not perform sudo operations), and disable root SSH access. This stack exchange question is useful regarding this.

2. Using SSH on a different port

Not long after I had my servers up, I happened to be doing some troubleshooting and noticed constant port scans and login attempts. This was somewhat concerning, but it’s apparently fairly typical. However, I like to set up my SSH port to be something other than 22 for this reason.

You can do this pretty easily by changing /etc/ssh/sshd_config file. Change the line with #Port 22 to not be commented out and chose another port. E.g. port 1034.

A minor nitpick is to choose a port between 1 and 1023. This is a root priviledged port range meaning only root can reserve these ports. You can read more here. Arguably this guidance is outdated, but I still follow it.

3. Setting up client key

On your machine, or machine that will act as client[0], you want to create the SSH key:

ssh-keygen -t rsa -b 4096

I personally do not use a passphrase to make things easier for me :)

Next, upload the key to the server:

ssh-copy-id -p 1034 -i ~/.ssh/my_ssh_key deploy_user@192.168.1.15

Finally ,let’s test the configuration works:

ssh -p 1034 -i ~/.ssh/my_ssh_key deploy_user@192.168.1.15

4. Configure firewall

We’ll need to update our firewall so we can actually SSH in.

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 1034/tcp

# If this is a web server, you'd also likely want ports 80 & 443 open
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

sudo ufw enable
sudo ufw reload

Check results:

sudo ufw status

If you’re using a VPS at a major provider like Vultr or Hostinger, check to see if you have any firewalls configured for you VPS as well.

5. Configure future usage

Okay, so you have an SSH key but it’s a PITA to use! You can update your (not the server’s) SSH config file to make it much easier to use.

Add/update entries as an alias to ~/.ssh/config like so:

Host personal-server
     HostName       192.168.1.15
     User           root
     IdentityFile   ~/.ssh/my_ssh_key
     Port 1034

Host production-server
     HostName       192.168.1.30
     User           deploy_user
     IdentityFile   ~/.ssh/my_production_ssh_key
     Port 1034

Now you can ssh easily:

ssh personal-server

Will also work with tools like scp

Always learning

If there are other recommendations on how to keep things secure or better configure SSH keys, I’m always open to suggestions.

[0] This could actually be the server in cases where the server does a git pull request for example- maybe in some deploy scenario that requires the server to git checkout a repo. In this case, you’ll also want to add the key to GitHub as a “Deploy key”