Having an SSH server can be incredibly useful; you can access a “headless” server without a monitor, get shell access to your system from anywhere in the world, transfer files without using FTP, securely tunnel VNC or web browsing, safely restart a locked-up system, and a lot more. However, improperly setting up a SSH server can leave your system vulnerable. Here’s how to install a secure SSH server (specifically OpenSSH) on Ubuntu or other Debian-based distributions.
The SSH client software is installed in Ubuntu by default. If you’re not familiar with it, then you’re probably not ready to set up the server.
What you do need to install is the OpenSSH server, which allows SSH clients to
connect to your computer. Do this by installing the package
Click here to install the SSH server, or use this
sudo apt-get install openssh-server
Test that the server was installed successfully. The quickest way is to connect to the server from the computer you just installed it on using this command:
If the connection is successful then SSH is up and running.
The default installation is fairly secure, you don’t really need to add any extra security unless your SSH server is exposed to the Internet or another large network. If it is, or is going to be, you should first make some changes.
Obviously, you need to make sure that all your user passwords are secure. No words from a dictionary! If you’re a bit paranoid, generate some random passwords.
OpenSSH is configured with the
/etc/ssh/sshd_config file. (Don’t mix it up
with the similar
ssh_config file.) Open your SSH configuration file:
gksu gedit /etc/ssh/sshd_config
You can specify which users are and are not allowed to connect. This is useful
if you have other user accounts that you will not be logging in with over SSH.
AllowUsers line to the file with a list of users you want to allow to
connect. Users not listed will not be allowed to connect.
AllowUsers tom bob
Only allows the
bob users to connect via SSH.
By default in Ubuntu, the root user not enabled to encourage the use of sudo.
This means that root can not log in to the SSH sever (which is good security).
If you do have the root user enabled you may want to set the
no to disallow root logins on SSH.
The default TCP port used by SSH is 22. If you run a SSH server exposed to the
Internet on this port, you will get automated scripts brute force attacking the
server to log in by guessing passwords. I’ve found that switching to another
port for SSH will generally stop the attacks. There are ways to detect and block
brute force attacks, but even if a bot finds your server’s port it will only be
a minor annoyance because of your strong passwords. Change the port that the SSH
server listens on by locating the
Port line and changing 22 to another high
port such as 2222.
[update] As Jonas points out in the comments, you can change the
line in the
/etc/ssh/ssh_config file on the client system to change the
default port to try connecting to. Just remember that if you change it from 22
you will need to specify the port when connecting to other SSH servers not using
your own port.
Whenever you make changes to the SSH server’s configuration, restart it to make the changes take effect:
sudo /etc/init.d/ssh restart
If your network is behind a NAT router and you want to expose your SSH server to the Internet, you will need to forward a port. This usually involves logging in to your router and forwarding your SSH port to your computer’s local IP address. PortForward.com has guides that can help you with this.
If there’s any interest, I’ll write some more how-tos for useful things you can do with an SSH server.
- Starting and Stopping GNOME from the Command Line
- Remote Access From Windows - X11vnc
- Public Key Authentication for SSH Made Easy