SSH is fantastic for everything, if I could ssh into my refrigerator and let it know that I wanted milk it would be a perfect world. I need to install openssh on the box next to me for a whole host of reasons, so this is a quick guide on how to set up openssh in a secure manner.
Install and general configuration
Firstly you will want to install the openssh server:
sudo apt-get install openssh-server
After the install we want to change some of the default settings to promote some security through obscurity. First file we will edit is the /etc/ssh/sshd_config. Find the line that says:
#What ports, ips and protocols we listen for
Port 22
Make a change to that port (choose a non-standard port), we dont want to be running on the default port. You might also want to check the following settings:
- RSAAuthentication == YES
- Protocol == 2 (make sure this is not a ’1′)
- PasswordAuthentication == YES (only if you have not done the Key Authentication part below)
- AllowUsers == make sure the users you want to access the machine are in here
- PermitRootLogin == NO
*The above checklist has been scalped from TuxTraining
Then restart the sshd server:
sudo /etc/init.d/ssh restart
Now for some security lets configure the /etc/hosts.allow file, add an allow for for all local activity and for ssh from the ip’s you are expecting. This is fine for me on my local network where ip’s are not changing, but for a server that your ssh’ing into from other areas this might not be plausable. Nevertheless this is how my /etc/hosts.allow looks:
ALL : 127.0.0.1
sshd : 10.0.0.2, 10.0.0.4
Now the /etc/hosts.deny file:
ALL : ALL
Key Authentication
When I set up my first server I scoffed at the idea of doing key based authentication because I would be the only user and I had a fairly long key, however go ahead and check your log files for failed authentications and you will see thousands a month. For this reason it is advisable to use key based authentication and ditch passwords alltogether… how long will it take them to guess your user password?
Client
- If the directory does not already exist then create ~/.ssh
- Generate the public/private key pair with the following command, make sure to enter a password. If you do not enter a password then anyone who gets a copy of your key can use it:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa
- Now you need to edit the /etc/ssh/ssh_config file by changing the following lines:
IdentityFile ~/.ssh/id_rsa (remove the # to uncomment)
Protocol 2 (Remove the 1 and remove the # to uncomment)
Server
- If the directory does not already exist then create ~/.ssh
- Make sure the permissions on the ~/.ssh directory are 700
- Maybe have to chown the ~/.ssh directory if you created it with the sudo command, this is so you can copy your keys into is.
- Copy the ‘id_rsa.pub’ file from your client machine to your server, you can use scp for this (run this on your client, you are copying the file Client=>Server):
scp ~/.ssh/id_rsa.pub <user_name>@<server_address>:~/.ssh
- Now back to the server to put your key into the ~/.ssh/authorized_keys list:
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
- Now you will want to edit the /etc/ssh/sshd_config file by changing the following lines:
Protocol 2 (make sure to remove the 1)
PubKeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
- Now restart the sshd service and you are set to go:
sudo /etc/init.d/ssh restart
Now you should be good to go. There is all kinds of extra tightening down you can do, but this setup so far has let me sleep at night. Enjoy fantastic cli power!
Resources
The Ultimate SSH Security Tutorial (TuxTraining)
SSH Howto (Ubuntu Documentation)