SSH is the primary target for brute-force attacks. In this lab, you will transform a default SSH installation into a hardened fortress by removing password authentication and enforcing cryptographic keys.
We avoid the legacy RSA algorithm in favor of Ed25519, which is faster, more secure, and has a smaller footprint.
๐ก Always use a passphrase when generating keys. If your laptop is stolen, the key is useless without the passphrase.
After copying the public key to the server, we must modify the SSH daemon configuration to stop accepting passwords.
# 1. Copy key to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server-ip
# 2. Edit /etc/ssh/sshd_config
# Set these values:
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
# 3. Restart SSH
systemctl restart sshOnce `PasswordAuthentication no` is applied, any attacker attempting to brute-force the password will be instantly rejected by the server without any password prompt.
| Setting | Default Value | Hardened Value | Security Benefit |
|---|---|---|---|
| PermitRootLogin | yes / prohibit-password | no | Prevents direct root targeting |
| PasswordAuthentication | yes | no | Eliminates brute-force |
| Port | 22 | Custom (e.g. 2222) | Reduces noise in logs |
| PubkeyAuthentication | yes | yes | Strong cryptographic proof |
The final step is to attempt to log in *without* your key to ensure the lockdown is working.
Never disable password authentication until you have verified that your public key login works in a separate terminal session. Otherwise, you will lock yourself out of the server.
Verify exercises to earn โ 190 XP and unlock next lab level.