How to create ssh keys + .ppk for login to server without password, protection against ssh bruteforce

To prevent bruteforce of ssh against your server, you should disable password login and create ssh keys and change ssh port and create new user instead of root. In your local Linux, make new folder, for example berlin:

make ~/.ssh/berlin
sudo ssh-keygen -t ed25519 -C "your-email@yahoo.com" -f ~/.ssh/berlin/id_ed25519

-f will avoid prompt: Enter file in which to save the key (/home/user/.ssh/berlin/id_ed25519):
Then it will ask for a passphrase.
This creates two files:
~/.ssh/berlin/id_ed25519 → private key (keep this safe!)
~/.ssh/berlin/id_ed25519.pub → public key (to copy to your server)

set key permissions (important!)

sudo chmod 700 ~/.ssh
sudo chmod 600 ~/.ssh/berlin/id_ed25519
sudo chmod 644 ~/.ssh/berlin/id_ed25519.pub


if you lost access to the server, copy paste key with VNC:

sudo cat ~/.ssh/berlin/id_ed25519.pub

It will look something like:
ssh-ed25519 AAAAC………….f6P your-email@yahoo.com
Add that public key to your server.
Log in via VNC/web console provided by your hosting provider.
Ensure the .ssh folder exists in your server home directory:
Edit the authorized_keys file:

nano ~/.ssh/authorized_keys

Paste the public key you copied from step above as a single line:

ssh-ed25519 AAAAC.............f6P your-email@yahoo.com

Save and exit.
Set correct permissions:

chmod 600 ~/.ssh/authorized_keys


Test SSH login from local:

ssh -i ~/.ssh/berlin/id_ed25519 user@server_ip

-i tells SSH to use the specific private key if you have more than one server with keys.

To avoid to type million times long command, you can make alias in .bashrc or .zshrc conf file of your terminal:

alias berlin="ssh -i ~/.ssh/berlin/id_ed25519 user@server_ip"

After editing .zshrc, run source ~/.zshrc to apply the changes immediately. Then you just type berlin in terminal and you execute long command to login to your server.

if you want to make .ppk file for filezilla, use this command (in folder, for example Desktop):

puttygen ~/.ssh/berlin/id_ed25519 -O private -o berlin.ppk

then you can load that file in filezilla.

#####################

if you want to change ssh key password:

ssh-keygen -p -f ~/.ssh/berlin/id_ed25519

type old and new password…
The passphrase only encrypts your local private key file.
You do NOT need to upload a new public key to authorized_keys on the server.
You do NOT need to create a new .ppk for FileZilla (unless you want to).
When you connect, FileZilla will prompt for the passphrase. Simply enter the new one. The .ppk file itself does not need to change.

if you want to change email in keys which is in fact an unimportant comment:

ssh-keygen -c -f ~/.ssh/berlin/id_ed25519 -C "for example: KissssMyAssss"


sudo cat ~/.ssh/berlin/id_ed25519.pub

ssh-ed25519 AA…………..JN KissssMyAssss

####################

Server ssh protection:


cd /etc/ssh


sudo nano sshd_config

Change port as you want instead of 22 and root = no, only after uploading ssh keys or you will lock out yourself:

Port 11111
PermitRootLogin no
PubkeyAuthentication yes
# scroll down and make this, this will prevent log out because of inactivity
ClientAliveInterval 60
ClientAliveCountMax 10

Close nano and restart ssh:

sudo systemctl restart ssh


Now try ssh from local:

ssh -p 11111 -i ~/.ssh/berlin/id_ed25519 newuser@123.55.166.66

So, when you use ssh port is small -p 11111 and when you use scp to copy file you use big -P 11111
Example ssh to login:

sudo ssh -p 11111 -i ~/.ssh/berlin/id_ed25519 newuser@123.55.166.66


Example scp to copy, the same is for rsync, this copy remote file to local linux:

sudo scp -P 11111 -i ~/.ssh/berlin/id_ed25519 newuser@123.55.166.66:/home/newuser/.bash_history /home/brucelee/Documents/backup

if you disabled root, after creating new user, you must login to server to make: “PermitRootLogin yes” and restart ssh, in other case connection will be refused because root is disabled. after you finish job, disable root again: “PermitRootLogin no”. Only after allowing root login in sshd_config, you can copy root owned files like php for example:

sudo scp -P 11111 -i ~/.ssh/berlin/id_ed25519 /home/brucelee/Documents/backup/php/8.3/apache2/php.ini root@123.55.166.66:/etc/php/8.3/apache2/

Other option, you can add new user to sudo group and you can get permission for root folders for new user:

sudo usermod -aG sudo newuser

After adding a user to the sudoers group, you can verify their membership using the groups command:

groups newuser

Now you can modify root owned files as new user…. for examle with filezilla and with terminal, you don’t need to touch any more PermitRootLogin no.

#####################

And here is ssh-keys-ppk.sh script with zenity pop ups to make ssh keys automatically + .ppk for filezilla & don’t forget to make it executable: chmod +x ssh-keys-ppk.sh