Secure Shell (SSH) is the foundation of secure remote server access, but improper configurations can leave servers vulnerable to brute-force attacks and unauthorized access. By using Ed25519 public key authentication, system administrators can enhance security while maintaining ease of access.
Why Ed25519 Over Other Algorithms?
SSH supports multiple key pair algorithms, but not all offer the same level of security:
- DSA – Deprecated due to weak randomness. No longer recommended.
- RSA – Still widely used, but requires large key sizes (2048+ bits) for adequate security.
- ECDSA – Offers smaller key sizes, but concerns exist over NIST-standardized curves and potential backdoors.
- Ed25519 – A modern elliptic curve algorithm offering strong security, high performance, and resistance to quantum computing threats.
For these reasons, Ed25519 is the preferred choice for SSH key authentication today.
Step 1: Generate an Ed25519 Key Pair
On your local machine (not the server), generate a new SSH key pair:
ssh-keygen -o -a 256 -t ed25519 -C "$(hostname)-$(date +'%d-%m-%Y')"- The
-oflag ensures the key is stored in a secure OpenSSH format. - The
-a 256flag adds key derivation function rounds, making brute-force attacks more difficult. - The
-Cflag assigns a comment (helpful for identifying keys).
Follow the prompts to set a passphrase for additional security. The generated files include:
~/.ssh/id_ed25519– Private key (keep this secure).~/.ssh/id_ed25519.pub– Public key (copy this to the server).
Step 2: Secure Local Key Storage
Ensure your private key is protected with the correct permissions:
chmod 700 ~/.ssh
chmod 400 ~/.ssh/id_ed25519These settings prevent unauthorized users from accessing your SSH key.
Step 3: Add Public Key to the Server
Copy the public key to the server’s authorized keys file:
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@your-server-ipAlternatively, manually add the key:
cat ~/.ssh/id_ed25519.pub | ssh user@your-server-ip "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"Step 4: Configure SSHD to Use Ed25519 Keys
Edit the SSH daemon configuration:
sudo nano /etc/ssh/sshd_configEnsure the following settings are applied:
Protocol 2
PubkeyAuthentication yes
PasswordAuthentication no
PermitRootLogin no
AuthenticationMethods publickey
HostKey /etc/ssh/ssh_host_ed25519_key
KexAlgorithms curve25519-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.comSave the file and restart SSH:
sudo systemctl restart sshdStep 5: Additional Hardening
Disable Root SSH Login
It’s crucial to disable direct root access to prevent privilege escalation attacks:
PermitRootLogin noChange the Default SSH Port
Changing the port from 22 to a random high-numbered port (e.g., 4822) can reduce automated scanning:
Port 4822Update the firewall to allow the new port:
sudo ufw allow 4822/tcpLimit SSH Access to Specific IPs
If you always connect from the same IP, restrict access:
sudo ufw allow from YOUR_IP to any port 4822Enable Fail2Ban
Fail2Ban protects against repeated failed login attempts:
sudo apt install fail2ban -y
sudo systemctl enable fail2banModify /etc/fail2ban/jail.local:
[sshd]
enabled = true
port = 4822
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600Restart Fail2Ban:
sudo systemctl restart fail2banStep 6: Testing the Configuration
From your local machine, test the connection:
ssh -i ~/.ssh/id_ed25519 -o PasswordAuthentication=no user@your-server-ip -p 4822If everything is set up correctly, you should log in without a password.
Conclusion
By following these steps, your SSH server will be significantly more secure against brute-force attacks, unauthorized access, and potential vulnerabilities. Ed25519 keys provide an ideal balance between security and performance, making them the recommended choice for SSH authentication.
Maintaining server security is an ongoing process—regular updates and monitoring are key to preventing new threats.
Reference: Cryptsus
