web stats

How to Set up and Secure an SSH Server

What is SSH and Why Should I use it?

This is something which I recently learned and it’s already come in handy for me and a couple of very trusted people. What is SSH and why should you use it, you ask? Well, for a start, the clue is in the name – Secure Shell. SSH provides a secure, encrypted tunnel between two computers which can’t be sniffed (at least, not to my knowledge) which you can use to access your home machine when you’re out of the house. Through a secure shell, you can use the terminal to run commands, transfer files or even use your home internet connection from elsewhere!

How to install Open SSH Server

Firstly, run this command to download and install the server software.

Quote:
sudo apt-get install openssh-server

If you want, you can check that the server is running at this point by trying to connect to yourself by running the following command. It’s not necessary though, and there’s a chance that it might not work before configuring things first.

Quote:
ssh username@localhost
How to Configure and Secure an SSH Server

The configuration and security processes go hand in hand and can actually be done at the same time, making this a fairly easy thing to do. Unfortunately, it can be a little confusing for a total beginner. I had no idea what I was doing when I first had a shot at setting up my server, but I soon learned the ropes. Anyway, here’s a quick overview of what we’ll be doing;

  • Opening a port on our router to allow incoming SSH traffic.
  • Editing our sshd_config file.
  • Taking a few security measures, such as disabling root logins and using authentication keys as opposed to passwords.
Opening a port on our router to allow incoming SSH traffic

So, go ahead and open up your router configuration page and add a firewall exception for a port of your choice. DON’T use port 22, even if it is the default SSH port. This will stop a lot of automated tools from scouring the web, finding your server and trying to access it. Choose a different port, such as 443 – the port which usually runs the HTTPS service. The benefit of using this port is so that if you’re establishing a connection from an organization (at work or school, for example), they could be blocking port 22. If you use 443, your traffic will appear to be travelling using the HTTPS protocol

Editing our sshd_config file

Open your file manager with root privileges (I’ll be using Nautilus for this tutorial) and browse to your “/etc/ssh” directory. In here is where your configuration file is located, and you’ll need to open up your sshd_config file. The first thing you will need to do is change the listening port to whatever you specified it as on your router configuration page – probably 443, like I suggested.

How to Secure an SSH Server

sshd_config

  1. Scroll down and find the line “PermitRootLogin” – change the “yes” to a “no”.
  2. Make sure that “RSAAuthentication” and “PubkeyAuthentication” are both set to “yes”, and that “AuthorizedKeysFile” is uncommented (remove the hash at the start of the line).
  3. Scroll down, and check that “PermitEmptyPasswords” is set to “no”.
  4. Make sure that “PasswordAuthentication” is set to “no” as well – this will force the use of authentication keys, which is MUCH more secure than password authentication which can be brute-forced.
  5. Finally, scroll right to the bottom and make sure that “UsePAM” is set to “no”.
How to Connect to Your SSH Server

PuTTYgen Key Generator

Now that the security is all taken care of, you will be eager to connect another device to your server. Grab your laptop (or whatever you’re using) and make sure that some kind of SSH client is installed on it. For Windows, you’ll be using PuTTY, Linux users might want to use openssh-client and for the people on Android Phones, download Connectbot.

Now, you’re going to need to generate a set of authentication keys. One is a private key, which will stay with you on your device – the other being a public key, which you will need to transfer to your server. If you’re on Windows, use the PuTTYGen application. Android users should open the menu and “Manage Pubkeys” to generate one, and Linux users should run the following command…

Quote:
ssh-keygen -t rsa

This will create an RSA encrypted public key for you to use Now, take a note of where the key is saved (if you’re on Windows or Android, don’t worry about this as it will be obvious what your public key is). Find a way of transferring your public key to your server – I usually just put it on a USB stick or email it to myself.

How to Authenticate Your Device With the Server

Once your public key is at hand, you’re going to need to add it to your “authorized_keys” file. So, open up your public key file and copy your key! Now, browse to the following location;

Quote:
/home/USERNAME/.ssh/authorized_keys

On the very first line of your file, paste your public key. Note that there can only be 1 key per line, so when you add more devices in the future, make sure you hit enter and go onto the second line before pasting your next key in.

Restart the Server Service

After messing around with any configurations, you need to restart the server service. You can do this by running the following command…

Quote:
sudo /etc/init.d/ssh restart

I found it beneficial to put that into a bash script called “ssh_restart”, so that I could quickly restart the server if I needed to.

Connect to Your Server!

Connectbot SSH Login

On the other device, open up your SSH client and enter the correct information. For example, PuTTY users will need to specify your server IP address, hostname and port number to connect, as will Android devices. If you’re running Linux, then enter the following command…

Quote:
ssh username@hostname -p 443 (or whatever port you specified)

The server should then recognize that you’re authenticated already with the public key, and you should be presented with a shell!

Useful Links

Using PuTTYgen to create keys
OpenSSH Website
SSH Wikipedia Article

Discuss http://www.totse.info/bbs/showthread.php?t=15379

Leave a Reply