Lock Down SSH with spiped

Last updated: Oct 6, 2024

SSH has had a history of vulnerabilities which could lead to remote code execution or compromise your server. Spiped protects against 0-day vulnerabilities. It prevents anyone without the key from even attempting to connect.

From the author:

Since data is authenticated before being forwarded to the target, this can allow you to SSH to a host while protecting you in the event that someone finds an exploitable bug in the SSH daemon — this serves the same purpose as port knocking or a firewall which restricts source IP addresses which can connect to SSH.> Spiped is a utility for creating encrypted and authenticated pipes between socket addresses. It’s like a force field for your SSH connection.

What is spiped?

Spiped is a utility for creating encrypted and authenticated pipes between socket addresses. It’s like a force field for your SSH connection.

Why use spiped?

  1. Adds an extra layer of encryption
  2. Protects against man-in-the-middle attacks
  3. Hides your SSH port from scanners
  4. Works with any SSH client

Let’s secure your server.

Step 1: Install spiped

On Ubuntu or Debian:

sudo apt update
sudo apt install spiped

On CentOS or Fedora:

sudo yum install epel-release
sudo yum install spiped

Step 2: Generate a secret key

Spiped needs a shared secret key. Create one:

dd if=/dev/urandom bs=32 count=1 of=/etc/spiped-secret
chmod 600 /etc/spiped-secret

This creates a 32-byte random key and restricts access to root.

Step 3: Set up spiped on your VPS

Create a systemd service file:

sudo nano /etc/systemd/system/spiped-ssh.service

Paste this content:

[Unit]
Description=Spiped for SSH
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/spiped -d -s [0.0.0.0]:8022 -t [127.0.0.1]:22 -k /etc/spiped-secret
Restart=always

[Install]
WantedBy=multi-user.target

This tells spiped to:

  • Listen on all interfaces, port 8022
  • Forward traffic to localhost, port 22 (SSH)
  • Use the secret key we generated

Save and close the file.

Step 4: Start and enable the service

sudo systemctl start spiped-ssh
sudo systemctl enable spiped-ssh

Step 5: Configure your firewall

Allow incoming connections on port 8022:

For UFW:

sudo ufw allow 8022/tcp

For firewalld:

sudo firewall-cmd --add-port=8022/tcp --permanent
sudo firewall-cmd --reload

Step 6: Set up spiped on your local machine

Install spiped on your local machine using the same method as Step 1.

Create a script to start the local spiped instance:

nano ~/spiped-ssh-connect.sh

Add this content:

#!/bin/bash
spiped -e -s [127.0.0.1]:8022 -t [YOUR_VPS_IP]:8022 -k /path/to/spiped-secret

Replace [YOUR_VPS_IP] with your VPS’s actual IP address.

Make the script executable:

chmod +x ~/spiped-ssh-connect.sh

Step 7: Connect to your VPS

  1. Start the local spiped instance:

    ~/spiped-ssh-connect.sh

  2. In a new terminal, connect via SSH:

    ssh -p 8022 username@localhost

You’re now connected through an encrypted spiped tunnel!

Optional: Disable password authentication

For maximum security, use SSH keys and disable password authentication:

  1. On your local machine, generate an SSH key pair:

    ssh-keygen -t ed25519 -C "your_email@example.com"

  2. Copy the public key to your VPS:

    ssh-copy-id -p 8022 username@localhost

  3. On your VPS, edit the SSH config:

    sudo nano /etc/ssh/sshd_config

  4. Set these options:

    PasswordAuthentication no
PubkeyAuthentication yes

  5. Restart the SSH service:

    sudo systemctl restart ssh

Troubleshooting

Can’t connect? Check these:

  1. Is spiped running on both machines?

    sudo systemctl status spiped-ssh

  2. Are you using the correct port (8022)?

  3. Is your firewall allowing connections?

  4. Did you copy the secret key to your local machine?

  5. Are the IP addresses in your local script correct?

Spiped vs. VPN

Why use spiped instead of a VPN?

  1. Simpler setup
  2. Less overhead
  3. Focused on securing just SSH
  4. Can be used alongside a VPN

However, a VPN secures all traffic. Choose based on your needs.

Conclusion

You’ve now fortified your VPS’s SSH connection. Spiped adds a powerful layer of security, making life much harder for attackers.

Remember:

  • Keep your secret key safe
  • Update your systems regularly
  • Monitor for unusual activity

With these steps, you’ve significantly boosted your server’s security. Sleep easier knowing your VPS is better protected against SSH-based attacks.

Need to print shipping labels on your site?

Checkout my product RocketShipIt for simple easy-to-use developer tools for UPS™ FedEx™ USPS™ and more.

Get notified on new posts or other things I'm working on

Share:         

Copyright © - Mark Sanborn