Skip to main content

Hardening Edgerouter ER-X by SSH

Generating RSA keys on client device (e.g. Ubuntu 16.04 LTS):

ssh-keygen -t rsa

which will store key in $HOME directory. Then, prompt for passphrase will appear, but we will keep it empty. The ssh key pair is generated where id_rsa.pub is the public key (we can share with the public) and id_rsa is the private key (we shall keep it secret as long as we can)

Copying public SSH key from client to router (server):

scp ~/.ssh/id_rsa.pub username@router.current.ip.address:/home/username/.ssh

For e.g. the username is edgemax and the router ip address is 192.168.1.1, the command would be:

 scp ~/.ssh/id_rsa.pub edgemax@192.168.1.1:/home/edgemax

Alternatively, we use ssh-copy-id to copy the key to ~/.ssh/authorized_keys :

 sudo ssh-copy-id -i .ssh/nvy_rsa.pub navoyjw@192.168.0.1

Setting ownership to username (better) if the owner of the files are not under you (check ownership or username using "ls -la /home/username/" ) as you do not need to access files as a root user [a prime security concern among GNU/Linux administrator or user]:

chown -R edgemax /home/edgemax

Setting the permission of folder in $HOME directory:

chmod 755 /home/edgemax [same as: chmod go-w /home/edgemax]
chmod 700 /home/edgemax/.ssh
chmod 600 /home/edgemax/.ssh/authorized_keys

chown edgemax: /home/edgemax/.ssh/authorized_keys

 Editing the ssh_config file at path /etc/ssh/ssh_config by editing the line IdentityFile with the corresponding ssh key type (RSA in this example). Since we are using default name in this example, we keep the path and only remove the '#' character in front :

IdentityFile ~/.ssh/id_rsa

SSH in to the router using password and do the final step to activate SSH login and operate in configuration mode (edgemax@router_name:~$ configure):

loadkey /home/edgemax/.ssh/id_rsa.pub 

 or,

  loadkey /home/edgemax/.ssh/authorized_keys #using ssh-copy-id 

After loadkey command, we commit and save and exit twice to extit ssh. Now we should be able to ssh into edgerouter securely.

Follow my blog with Bloglovin

Comments

Post a Comment

Popular posts from this blog

Repairing Fedora Grub using Fedora Live USB

First, Prepare the Fedora Workstation Live CD using Fedora Media Writer. Next, run the Workstation Live CD and run the console. Then, enter the following commands if you are running the separate boot and root partition: 1) sudo mount /dev/sdaX /mnt Note: sdaX is the root partition 2) sudo mount /dev/sdaW /mnt/boot Note: sdaW is the boot partition The following files are essential for running the essential processes for repairing grub and shall be mounted: 3) sudo mount --bind /dev /mnt/dev 4) sudo mount --bind /proc /mnt/proc 5) sudo mount --bind /sys /mnt/sys 6) sudo mount --bind /var/run /mnt/var/run Now, you are ready to go into the Fedora partitions to repair the grub files. The path should be changed to root user from liveuser> to root>: 7) sudo chroot /mnt If you are running dual boot Windows and Fedora system, the following command will replace the Metro Interface: 8) grub2-install /dev/sda With a dual-boot or multi-boot systems, the follow
Post a Comment
Read more

Installing SUSE Imagewriter on Linux Mint Debian Edition

The original title for this post is "Installing SUSE Imagewriter on Ubuntu LTS". Download Zip, save to preferred directory:~/Downloads However due to data loss of the blog, i decide to rewrite this article using Linux Mint Debian Editi on ( a similar distribution to Ubuntu ). First we have to download the source from Github (https://github.com/openSUSE/imagewriter) Download ZIP, save to preferred directory: ~/Downloads Extract imagewriter-master.zip in /home/username/Downloads and in terminal run the command: cd /home/username/Downloads/imagewriter-master Install the latest version of qt4-qmake and libqt4-dev by running: sudo apt-get update && sudo apt-get install qt4-qmake libqt4-dev Instructions for Linux Installation on github Follow the instructions in README.md by running the command: qmake DEFINES=USEHAL imagewriter.pro  Follow by the command: qmake DEFINES=USEUDISKS imagewriter.pro Next run the command: qmake DEFINE
Post a Comment
Read more

Fixing time on sysvinit and systemd

If you have a system that boot using different GNU/Linux init systems such as sysvinit (aka System 5) and systemd (aka System 500) in addition to proprietary Windows system, you may face incorrect time display on one of the aforementioned system. The difference in time display is dependent on the time difference of your location and the UTC time. Further complication may result from concept like Daylight Saving Time (DST). If the Bios is set to localtime, you may fix it in systemd boot system using 'timedatectl' command like: sudo timedatectl set-local-rtc 1 However, if you are using sysvinit and Bios is using localtime, you can set inform the system that local time is being used using 'hwclock' command like: sudo hwclock --localtime or to synchronize the hardware clock with system time and inform the system using: sudo hwclock --systohc --localtime If Bios is using UTC time, you may revert the change with 'timedatectl' like: sudo timedatectl set-lo
Post a Comment
Read more