Having an SSH server can be incredibly useful; you can access a “headless” server without a monitor, get shell access to your system from anywhere in the world, transfer files without using FTP, securely tunnel VNC or web browsing, safely restart a locked-up system, and a lot more. However, improperly setting up a SSH server can leave your system vulnerable. Here’s how to install a secure SSH server (specifically OpenSSH) on Ubuntu or other Debian-based distributions.
The SSH client software is installed in Ubuntu by default. If you’re not familiar with it, then you’re probably not ready to set up the server.
What you do need to install is the OpenSSH server, which allows SSH clients to connect to your computer. Do this by installing the package openssh-server. Click here to install the SSH server, or use this terminal command:
sudo apt-get install openssh-server
Test that the server was installed successfully. The quickest way is to connect to the server from the computer you just installed it on using this command:
If the connection is successful then SSH is up and running.
The default installation is fairly secure, you don’t really need to add any extra security unless your SSH server is exposed to the Internet or another large network. If it is, or is going to be, you should first make some changes.
Obviously, you need to make sure that all your user passwords are secure. No words from a dictionary! If you’re a bit paranoid, generate some random passwords.
OpenSSH is configured with the /etc/ssh/sshd_config file. (Don’t mix it up with the similar ssh_config file.) Open your SSH configuration file:
gksu gedit /etc/ssh/sshd_config
You can specify which users are and are not allowed to connect. This is useful if you have other user accounts that you will not be logging in with over SSH. Add an AllowUsers line to the file with a list of users you want to allow to connect. Users not listed will not be allowed to connect.
Example: AllowUsers tom bob
Only allows the tom and bob users to connect via SSH.
By default in Ubuntu, the root user not enabled to encourage the use of sudo. This means that root can not log in to the SSH sever (which is good security). If you do have the root user enabled you may want to set the PermitRootLogin line to no to disallow root logins on SSH.
The default TCP port used by SSH is 22. If you run a SSH server exposed to the Internet on this port, you will get automated scripts brute force attacking the server to log in by guessing passwords. I’ve found that switching to another port for SSH will generally stop the attacks. There are ways to detect and block brute force attacks, but even if a bot finds your server’s port it will only be a minor annoyance because of your strong passwords. Change the port that the SSH server listens on by locating the Port line and changing 22 to another high port such as 2222.
[update] As Jonas points out in the comments, you can change the Port line in the /etc/ssh/ssh_config file on the client system to change the default port to try connecting to. Just remember that if you change it from 22 you will need to specify the port when connecting to other SSH servers not using your own port.
Whenever you make changes to the SSH server’s configuration, restart it to make the changes take effect:
sudo /etc/init.d/ssh restart
If your network is behind a NAT router and you want to expose your SSH server to the Internet, you will need to forward a port. This usually involves logging in to your router and forwarding your SSH port to your computer’s local IP address. PortForward.com has guides that can help you with this.
If there’s any interest, I’ll write some more how-tos for useful things you can do with an SSH server.
- Starting and Stopping GNOME from the Command Line
- Remote Access From Windows – X11vnc
- Public Key Authentication for SSH Made Easy