Password Based vs Key Based Authentication : Which is More Secure for Your Linux server?

Abstract

In the world of technology, attackers are constantly trying to gain unauthorized access to the server. Because of this, security is a major concern and choosing the best way to protect the server can be challenging. This article will help you to understand password based and key based authentication methods to improve your security.

what is password based authentication ?

Password-based authentication is a method where users prove their identity by entering a password. The password is usually stored and transmitted in an encrypted or hashed form to enhance security.

But the security is a major concern with Password based authentication because password based authentication can be vulnerable to attacks like brute force, where attackers try many passwords until they find the right one.

Passwords are often stored in a hashed format to improve security, but they can still be compromised if the hash is cracked.

what is brute force attack ?

A brute force attack is attack where attackers used some tools and wordlist (consist of combination of passwords ) to gain unauthorized access to the server.

These attacks are more effective against systems with weak or simple passwords.

How to Protect From brute force attack ?

• Create strong passwords maximum 15 digits ( use combination of alphabets , numbers , special character).
• Install & Setup firewall if you are using Linux (UFW, iptables etc) to monitor and control incoming and outgoing network traffic based on security rules.
• use security tools like Fail2Ban to protect system from brute-force attacks and other types of malicious activity by monitoring log files for suspicious behavior and then taking action to block offending IP addresses.
• Always Prefers Key Based Authentication.

what is Key based authentication ?

Key based authentication is a mechanism where Users authenticate and login using a pair of cryptographic keys public key and a private key.

The public key is shared with the server ( host machine ) , while the private key is kept secret by the user ( client machine ).

How Key based authentication works?

• Key Generation : The user (client) generates a key pair on their local machine. This includes a public key and a private key.
• Client side setup

ssh-keygen -t rsa // Generate Private and Public key

cd ~/.ssh // Check Public key and private key

ssh-copy-id user@server_IP // Copy Public Key to the server where you want to login.

• Server side setup

~/.ssh/authorized_keys // check public key if not copy

ssh user@server_IP // Access Server via ssh

• Set the correct permissions

chmod 600 ~/.ssh/authorized_keys

chmod 700 ~/.ssh

• Authentication Process : When the user(client) tries to connect to the server (host machine), the server (host machine) uses the public key shared by the user(client) to authenticate. notice one thing authentications successful when user(client) has a their private key otherwise server (host machine) denie access.
• The server (host machine) uses the public key to verify the private key during the login process.

what is SSH (secure remote access)?

SSH (secure remote access) SSH is a network protocol Run on default port 22 used to securely access server & client. It provides a secure channel for communication between a client and a server over an unsecured network. using ssh you can Perform task like remote login , file transfer , command execution on a remote server etc.

SSH (secure remote access) Configuration

Step 1 Server side :

• Make sure you have install openssh-server on server side. if not install

sudo apt update

sudo apt install openssh-server

• if you want to Modifie default Configuration edit sshd_config file from this location /etc/ssh/sshd_config (optional if you want Key based authentication for security)

sudo nano /etc/ssh/sshd_config // note : nono is text editor in Linux.

• if you want Key based authentication for security

Disable Password Authentication : PasswordAuthentication no

Allow/Disallow Root Login : PermitRootLogin no (best practice to protect Linux server

from brute force attack )

• Restart the SSH service : sudo systemctl restart sshd
• for security reasons, it is often recommended to change the default SSH port to reduce the risk of automated attacks : Change PORT : 22 to PORT : Your_PORT ( Replace Your_PORT with whatever port you want to set )

Step 2 Client side :

• Make sure you have install openssh-client on client side. if not install

sudo apt update

sudo apt install openssh-client

• if you want to connect to the server using the new port, specify the port number with the -p option

sudo ssh -p Your_PORT username@server_ip

if you have any query drop comment I am happy to help you Aman Reddy