Selecting Your Linux Distribution and Hardening SSH Access
Choosing the right operating system is the foundation of your infrastructure. Once deployed, securing that environment is paramount. This guide covers the technical nuances of popular Linux distributions and the implementation of high-entropy Ed25519 SSH keys to prevent unauthorized access.
1. Linux Distribution Selection
Select the distribution that best aligns with your project's stability and package requirements:
| Distribution | Best Use Case | Technical Characteristics |
|---|---|---|
| Ubuntu 22.04/24.04 LTS | General Purpose / Modern Apps | Massive community support, recent kernel versions, and frequent package updates. |
| AlmaLinux 8/9 | Enterprise / cPanel Hosting | The spiritual successor to CentOS. 1:1 binary compatible with RHEL. Focuses on long-term stability. |
| CentOS Stream | Development / RHEL Testing | A mid-stream platform located between Fedora and RHEL. Ideal for testing future enterprise features. |
| Debian 11/12 | High-Stability Servers | Extremely lightweight and "pure." Slower update cycle but known for bulletproof uptime. |
2. Generating Ed25519 SSH Keys
While RSA was the standard for years, Ed25519 is now recommended due to its superior security, smaller key size, and faster performance. It is resistant to side-channel attacks and provides higher security than ECDSA and RSA.
On your local machine (Windows PowerShell, macOS, or Linux Terminal), run:
ssh-keygen -t ed25519 -C "[email protected]"
- Private Key:
id_ed25519(Stored locally, never share this). - Public Key:
id_ed25519.pub(Uploaded to your Hovixa VPS).
3. Disabling Password Authentication
Even with a strong password, your VPS is vulnerable to brute-force attacks. Disabling password login forces the server to require a valid SSH key to even initiate a session.
⚠️ WARNING
Ensure you can successfully log in with your SSH key before performing these steps. If you disable passwords without a working key, you will be locked out and must use the VNC console to fix it.
Step-by-Step Implementation:
- Edit the SSH daemon configuration:
sudo nano /etc/ssh/sshd_config
- Locate and modify the following directives:
PasswordAuthentication no PubkeyAuthentication yes ChallengeResponseAuthentication no UsePAM no
- Save the file (Ctrl+O) and exit (Ctrl+X).
- Test the configuration syntax and restart the service:
sudo sshd -t sudo systemctl restart ssh
4. Technical Implementation Details
- Port Obscurity: While not a primary defense, changing your SSH port from
22to a custom high port (e.g.,2284) in the samesshd_configfile can reduce automated "bot" noise in your logs by up to 95%. - Root Login: It is standard practice to set
PermitRootLogin prohibit-password. This allows root access only via SSH keys, preventing password-based root attempts. - Entropy: On a fresh VPS, the system might lack entropy for key operations. Hovixa uses
virtio-rngto ensure your Linux kernel has access to a hardware-accelerated random number generator.
Sysadmin Tip: Use ssh-copy-id -i ~/.ssh/id_ed25519.pub root@your_vps_ip from your local machine to automatically append your key to the server's authorized_keys file with the correct permissions.
