Secure Your Infrastructure with a Strong SSH Key

Started by metallexportprom, Aug 11, 2022, 01:25 AM

Previous topic - Next topic

metallexportpromTopic starter

The news is filled with reports of data breaches, and large corporations are spending exorbitant amounts of money to enhance their security. According to IDC, a consulting organization, global spending on IT security will exceed $120 billion by 2021.

However, an IT infrastructure that is secure does not necessarily have to cost a lot of money. Linux systems, for example, come with built-in protection mechanisms that, when properly configured, can deflect most popular types of OS and network attacks.

In this article, we will discuss some basic tips to reduce the likelihood of hаcking an IT architecture and compromising information. While the examples given are for Linux-based systems, some of the practices can be applied to other operating systems as well.

One important and obvious point is to install the latest security updates regularly. The significance of regular application updates has been discussed many times before, yet it remains relevant, especially in light of the Heartbleed (CVE-2014-0160) vulnerability found in OpenSSL.

This vulnerability allowed attackers to extract the server's private key and use it to decrypt transmitted traffic. In 2014, nearly 600,000 vulnerable sites were reported, but even today, almost 250,000 websites are still impacted by Heartbleed, despite a patch being available.

To ensure that your systems are up to date, it is recommended to set up an auto-update system for your OS safety. Most vendors provide a tool to automatically install patches. For instance, Debian has Unattended Upgrades, Red Hat-based systems have Auto-Updates, CentOS has yum-cron, and Fedora has dnf-automatic.

It is also possible to upgrade using package managers. For example, for Debian:

apt-get update && apt-get upgrade

However, automatic patch installation can have its drawbacks. For instance, there are situations where updates may cause a system crash. Thus, before installing updates in a production environment, conducting preliminary software testing in a sandbox is recommended.

Developers try to ensure that the updates do not produce harmful changes to systems, but they cannot test every possible combination of applications and services. In some cases, vulnerabilities discovered in a system may require restarting all related applications, as was the case when several vulnerabilities were found in OpenSSL, which allowed attackers to launch DDoS attacks. These were fixed in Debian 1.0.1e-2+deb7u10, but a restart of all OpenSSL-related applications was necessary.

Another tip is to activate security extensions. Modern systems run numerous daemons and programs managed by different users. The traditional Unix model of Discretionary Access Control (DAC) makes application management challenging since it works with three parameters when assigning access rights: user, user group, and others.

One of the first things you should do to protect your infrastructure is to create a strong SSH key. You can use ssh-keygеn to generate a 4096-bit key with a passphrase that will protect the key in case it is compromised. To set up an SSH connection, OpenSSH can be used, which has a decent standard configuration. For added connection safety, we recommend using a cryptographic key pair login for SSH access, which makes brute-force crаcking much more difficult.

To accomplish this, create new keys and upload the public key to the server by entering 'ssh-copy-id admin@' from your local computer, substituting the key owner's name for admin and your server's IP address for You can also disable SSH connections completely by entering a password that everyone uses, ensuring the PasswordAuthentication parameter in the /etc/ssh/sshd_config file is set to no.

It's important to use cryptography to protect your infrastructure from hаckers. Do not store personal and account information unencrypted, even if your passwords are kept in a private repository on GitHub. When choosing encryption tools or libraries, make sure to use modern symmetric ciphers like AES and Salsa20, MACs to control data source integrity and authentication, and high-quality randomizers for generating keys and temporary codes such as /dev/urandom.

Make sure to regularly create and check backups to ensure the safety of your architecture. Although this topic is discussed in many materials, it's important to remember its importance.
    The following users thanked this post: Sevad

Kitty Solam

If patches from Meltdown cause a drop in performance and system crashes, it's important to prevent failure to install them. That's why it's recommended to establish a system for preliminary testing of updates before deployment. It's also crucial to coordinate your protection system in a way that minimizes the risk of exploiting unknown vulnerabilities.


To ensure that your system is always up-to-date, it's suggested to use security auto-update for your OS. Many vendors provide a tool that automatically installs patches.
Examples include Unattended Upgrades for Debian, AutoUpdates for Red Hat-based systems, yum-cron for CentOS, and dnf-automatic for Fedora. Keeping your system up-to-date using these tools minimizes the risk of security breaches and ensures optimal system performance.