cloud engineer
AWS LightSail now has the ability to restrict IP addresses in their firewall rules. LightSail instances can now be secured by limiting firewall rules from an IP CIDR block or a single IP address. For example, you can restrict who can SSH into your instance by limiting it to just your IP address, so only you can SSH into your machine. Another feature AWS added in their LightSail firewall is support for ping, which could be helpful for monitoring and checks.
Here’s the command to copy a secret key to a remote server.
ssh-copy-id user@servername |
This assumes you already generated a key.
When you stand up an AWS instance, it’s only accessible via SSH key using the default user, typically ec2-user.
Add password to ec2-user, then enable password authentication to ‘yes’ in SSH.
# Add password to ec2-user sudo passwd ec2-user # edit ssh config vim /etc/ssh/sshd_config # enable password authentication PasswordAuthentication yes # save file and exit |
Restart SSH service.
systemctl restart sshd.service |
How to suppress typing “yes” when prompted by ssh.
#!/bin/bash ssh-keygen -f "/home/user/.ssh/known_hosts" -R "yourdomain.com" ssh -o "StrictHostKeyChecking=no" -i "keys/key.pem" ubuntu@domain.com |
If unable to login via SSH, check the /etc/ssh/sshd_config for AllowGroups.
AllowGroups root groupname |
It’s case sensitive.
If you’ve changed keys, you will need to delete a ssh key from /etc/known_hosts file.
You can edit it manually using an editor such as vi or vim.
vim ~/.ssh/known_hosts |
Or you can use ssh-keygen command with -R option to delete the hostname or IP address.
ssh-keygen -f "~/.ssh/known_hosts" -R "xxx.xxx.xxx.xxx" |