Harden your public webserver (Part 3: shutdown SSH)
This is the third part of a three-part tutorial.
Closing this port will make your server unmaintainable. Allowing access only to your private IP address will not work if you use dynamic IPs. Unfortunately, this is common practice in Germany, for example.Regardless of that, you won't be able to access your beloved server while on vacation.
The solution I am showing here allows you to access your server from anywhere.
For this we use Wireguard. Wireguard is a free, modern and very secure VPN solution that is also very resource-efficient (unlike OpenVPN, for example).
Install and configure wireguard
For simplicity's sake, I'm showing this for Linux. The configuration on Windows, Mac, iOS and Android differs only slightly.
Install Wireguard on your server:
apt install wireguard
Install wireguard on all of your clients.
On your server:
Generate wireguard keys:
Your private key is in
/etc/wireguard/privatekey
Your public key is in:
/etc/wireguard/publickey
Create a preshared key:
#/etc/wireguard/
cd /etc/wireguard/
mkdir psk
cd psk
wg genpsk > presharedkey
Your preshared key is in /etc/wireguard/psk/presharedkey
Create a server configuration:
Enable portforwarding:
And activate your changes:
sysctl -p
Start and enable your config:
systemctl enable --now wg-quick@wg0.service
On your client:
If not already done. Install wireguard on the client as well.Repeat the step from above to generate the keys.
Create a client configuration:
You have now created the missing client key and can add it to the configuration on the server side:
Start and enable your config:
systemctl enable --now wg-quick@wg0.service
Test connection:
You should see a connection on both with the following command:
wg show
If not, check if the firewall blocks port 51820/UPD or if the Wireguard service is running:
# should show show active
systemctl status wg-quick@wg0
Often there is a typo in the configuration.
Configure SSH on your server
This part is a little tricky.
Please be sure to check beforehand whether wireguard can establish a stable connection. Otherwise you will be locked out.
It's best to make a backup/snapshot beforehand.
The SSH process must be started after the Wireguard process.
We can set this via SystemD. Add wg-quick@wg0.service as required to sshd.service.
This setting is not to be executed on the client!
Now change your SSH listener:
Restart SSH:
systemctl restart ssh.service
Your server is now only accessible from outside via Wireguard over SSH.
Since SSH only listens to this IP, you don't need to do any firewall settings. You can leave port 22 open for SSH worldwide.