Tombuntu

Installing and Using a SSH Server

Having an SSH server can be incredibly useful; you can access a “headless” server without a monitor, get shell access to your system from anywhere in the world, transfer files without using FTP, securely tunnel VNC or web browsing, safely restart a locked-up system, and a lot more. However, improperly setting up a SSH server can leave your system vulnerable. Here’s how to install a secure SSH server (specifically OpenSSH) on Ubuntu or other Debian-based distributions.

OpenSSH

The SSH client software is installed in Ubuntu by default. If you’re not familiar with it, then you’re probably not ready to set up the server.

What you do need to install is the OpenSSH server, which allows SSH clients to connect to your computer. Do this by installing the package openssh-server. Click here to install the SSH server, or use this terminal command:

sudo apt-get install openssh-server

Test that the server was installed successfully. The quickest way is to connect to the server from the computer you just installed it on using this command:

ssh localhost

If the connection is successful then SSH is up and running.

The default installation is fairly secure, you don’t really need to add any extra security unless your SSH server is exposed to the Internet or another large network. If it is, or is going to be, you should first make some changes.

Obviously, you need to make sure that all your user passwords are secure. No words from a dictionary! If you’re a bit paranoid, generate some random passwords.

OpenSSH is configured with the /etc/ssh/sshd_config file. (Don’t mix it up with the similar ssh_config file.) Open your SSH configuration file:

gksu gedit /etc/ssh/sshd_config

You can specify which users are and are not allowed to connect. This is useful if you have other user accounts that you will not be logging in with over SSH. Add an AllowUsers line to the file with a list of users you want to allow to connect. Users not listed will not be allowed to connect.

Example: AllowUsers tom bob
Only allows the tom and bob users to connect via SSH.

By default in Ubuntu, the root user not enabled to encourage the use of sudo. This means that root can not log in to the SSH sever (which is good security). If you do have the root user enabled you may want to set the PermitRootLogin line to no to disallow root logins on SSH.

The default TCP port used by SSH is 22. If you run a SSH server exposed to the Internet on this port, you will get automated scripts brute force attacking the server to log in by guessing passwords. I’ve found that switching to another port for SSH will generally stop the attacks. There are ways to detect and block brute force attacks, but even if a bot finds your server’s port it will only be a minor annoyance because of your strong passwords. Change the port that the SSH server listens on by locating the Port line and changing 22 to another high port such as 2222.

[update] As Jonas points out in the comments, you can change the Port line in the /etc/ssh/ssh_config file on the client system to change the default port to try connecting to. Just remember that if you change it from 22 you will need to specify the port when connecting to other SSH servers not using your own port.

Whenever you make changes to the SSH server’s configuration, restart it to make the changes take effect:

sudo /etc/init.d/ssh restart

If your network is behind a NAT router and you want to expose your SSH server to the Internet, you will need to forward a port. This usually involves logging in to your router and forwarding your SSH port to your computer’s local IP address. PortForward.com has guides that can help you with this.

If there’s any interest, I’ll write some more how-tos for useful things you can do with an SSH server.

Archived Comments

Fer

Nice!

Cheers from Barcelona, Spain

Jonas

I think you missed one important aspect in securing a ssh-server: don’t allow people (even if it’s just yourself) to connect to it using passwords. Do it using public key authenciation, and brute force password crackers will work in vain.

Of course, using public keys provide an additional bonus apart from better security. It makes using sshfs more convenient in that you can mount a ssh directory without being prompted for a password or passphrase at boot-time, especially convenient if you mount them using fstab.

And speaking of convenient…since you mentioned changing the port of the server you might want to change the corresponding part of the client ssh_config file. Just so you don’t have to remember adding the -p 2222 every time.

Tony

Wonderfully informative post.
Can you explain how to use public key authentication?

Jonas

Quick-and-dirty, and assuming it is your server so you have root-access to it.

On the server,

Make sure you have the following in /etc/ssh/sshd_config:

PubkeyAuthentication yes
PasswordAuthentication no

On the client, do:

1. ssh-keygen -t rsa (up to you if you want to use a pass-phrase or not. As long as you keep the key-files secured, it is more convenient without one).
2. ssh-copy-id -i ~/.ssh/id_rsa.pub username@server (this copies the pub-key to the server)

Finally, you should be able to do ssh server. The first time you will get a warning, and then you will be asked about your pass-phrase if you created one. Otherwise, you should be let in. This assumes that you have the same username (and the same UID and GID) on both the client and the server though.

Finally, as root on the server /etc/init.d/ssh restart

Note though that I would recommend to NOT turn off password authenciation until you know the pubkey setup works…

Now, if you followed the suggestions to make sure only trusted users are allowed to use ssh and changing the portnumber, a potential hacker would need:

1. To find out the correct portnumber.
2. Find the correct username
3. Get access to your keyfile somehow.

Note too that if you just want to use this on a server that you do not have root access to, it should work too except that you of course have to rely on the server being properly set up in the first place (or pester the administrator to set it up for you…). If it allows ssh-logins, I would hope that it is.

Tom

Jonas:
Thanks for the tip on changing the port in ssh_config.

Tony:
Public key authentication is tomorrow’s post :)

db0

Excellent post. This is exactly what I needed to administer my girlfriends computer without asking for a rdc connection every time :)

Cheers!

Ram

Wonderful post bro. Simple n clear explanation.

analog_G

Great post. So simple I was able to call my wife from work and she installed openSSH from a command prompt. I am now using PuTTY.exe on my Windows machine at work to connect (SSH) to my Linux Machine at home. I just modified my sshd_config file remotely to only allow me as an openSSH user. Cool stuff.

Jaun Millalonco

My first visit here, found the blog accidentally really, and I just wanted to say I’ve enjoyed my visit and had some good reads while here :)
Juan

aikonbrasil

An Excellent Post, Congratulation !!!!!!!!

I will be visiting your blog all the time.

Thanks.

Respond via email