I’ve needed to set up multiple servers for some of my projects and SSH in to do various configuration, and I thought I’d jot down some notes I found helpful.
I use SSH Keys
I prefer to use SSH keys over passwords for a few reasons- mostly because I think they’re safer (nice discussion here) and once configured, they’re also very easy to use and flexible.
1. SSH User on Server
Ideally you’ll disable SSH root access and avoid using
root. Instead, you’ll want to create a new user, give user the permissions you’d like (e.g. allow
root maybe but not perform sudo operations), and disable root SSH access. This stack exchange question is useful regarding this.
2. Using SSH on a different port
Not long after I had my servers up, I happened to be doing some troubleshooting and noticed constant port scans and login attempts. This was somewhat concerning, but it’s apparently fairly typical. However, I like to set up my SSH port to be something other than 22 for this reason.
You can do this pretty easily by changing
/etc/ssh/sshd_config file. Change the line with
#Port 22 to not be commented out and chose another port. E.g.
A minor nitpick is to choose a port between 1 and 1023. This is a root priviledged port range meaning only
root can reserve these ports. You can read more here. Arguably this guidance is outdated, but I still follow it.
3. Setting up client key
On your machine, or machine that will act as client, you want to create the SSH key:
ssh-keygen -t rsa -b 4096
I personally do not use a passphrase to make things easier for me :)
Next, upload the key to the server:
ssh-copy-id -p 1034 -i ~/.ssh/my_ssh_key email@example.com
Finally ,let’s test the configuration works:
ssh -p 1034 -i ~/.ssh/my_ssh_key firstname.lastname@example.org
4. Configure firewall
We’ll need to update our firewall so we can actually SSH in.
sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow 1034/tcp # If this is a web server, you'd also likely want ports 80 & 443 open sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw enable sudo ufw reload
sudo ufw status
If you’re using a VPS at a major provider like Vultr or Hostinger, check to see if you have any firewalls configured for you VPS as well.
5. Configure future usage
Okay, so you have an SSH key but it’s a PITA to use! You can update your (not the server’s) SSH config file to make it much easier to use.
Add/update entries as an alias to
~/.ssh/config like so:
Host personal-server HostName 192.168.1.15 User root IdentityFile ~/.ssh/my_ssh_key Port 1034 Host production-server HostName 192.168.1.30 User deploy_user IdentityFile ~/.ssh/my_production_ssh_key Port 1034
Now you can ssh easily:
Will also work with tools like
If there are other recommendations on how to keep things secure or better configure SSH keys, I’m always open to suggestions.
 This could actually be the server in cases where the server does a git pull request for example- maybe in some deploy scenario that requires the server to
git checkout a repo. In this case, you’ll also want to add the key to GitHub as a “Deploy key”
Enjoy Reading This Article?
Here are some more articles you might like to read next: