to further clarify this, please replicate the following:
start your instance (from scratch) and associate a security group to it (note that the default security group CANNOT be deleted - nevertheless you can empty it and create new ones);
log on to your server with the given credentials (eg key/ssh port -default 22);
modify /etc/ssh/sshd_config to specify a port you wanno connect to (other than 22);
modify the port for ssh in the security group (eg remove default 22 and put a new custom TCP one with the same number as specified by you in step 3 above);
reconnect to your server to verify that port change has worked for ssh.
1st attempt, I did what you said except I changed the ssh_config instead of the sshd_config⌠rookie mistake I guess.
2nd attempt, changed the sshd like you said and fixed the security group so that it only had the custom tcp connection through the specified port number. After exiting and trying to enter, connection was timed out. I changed my local ssh but then it refused.
Sorry I donât know what I am missing
The file you want to modify is sshd_config. This is the daemon configuration file. The ssh_config file is the client and will only be useful if you connect to another ssh host. Also, please remember to restart the ssh service with:
sudo systemctl restart ssh
This might give you a warning about existing ssh connections. You can ignore that, log out and try to log back in to your new port.
Thank you for the videos these are so clear! What is this public key that he pastes into the authorized keys directory? Is it from my local computer or keys from the server?
Thank you for any help
For your first contact, use the key provided by AWS. You can make one in the console, and any instance in the region will be associated to it.
You can later generate your own, and add it to authorized_keys, test the connection and if it works, delete the original key (the aws one). You can use ssh-keygen to do this. Aws also have a help file to show their interpretation of this process.
Let me know if you have any questions, I am on mobile now, but later I can post some links and code if needed.
mmm, the PEM key generated on AWS, is generated online, and is only as secure as your console is. Or anything online for the matter.
Yes, connect with the old key, and copy the public key to authorized_keys (without deleting the existing entry yet, so you donât risk locking yourself out). The pem/public key pair you generated offline, with keygen.
Let me know if you have more questions, and good luck.
I would suggest that changing user, and deleting the default one, also is best practice.
All these steps decrease the chances of someone knowing user, key and other sensitive information, without even trying (for example, in aws the default user is always ubuntu for ubuntu vms).
PS do these things in steps, rinse and repeat. Once youâre confident you are not locking out, look along this thread and follow all the steps for hardening your machines. Aws is no different, other than they have sg, which may render ufw less useful.
Also, remove root access from all your instances and the console.
PPS please note that authorised_keys and the .ssh dir wonât exist for the new user. So you need to make these first, before copying over your pub.
PPPS for a more comprehensive overview about security, which may give you some ideas for securing instances and console, please watch this video by Charles Hoskinson:
