Installing & Configuring SSH Server.

What is SSH?

The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP). ~ ssh.com

Installing OpenSSH on Ubuntu

OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of tools for remotely controlling, or transferring files between, computers. ~https://ubuntu.com/server/docs/service-openssh

The OpenSSH server component, sshd, listens continuously for client connections from any of the client tools. When a connection request occurs, sshd sets up the correct connection depending on the type of client tool connecting.

To install the OpenSSH server application, and related support files:

1. Update packages.

Open the terminal and enter.

sudo apt update

‘apt update’ downloads the package lists from the repositories and “updates” them to get information on the newest versions of packages and their dependencies. It’s advisable to always run apt update before installing any package.

2. Installing package.

sudo apt install openssh-server

3. Start service at boot.

To start a service at boot, use the `systemctl enable` command:

`systemctl` command, is the central management tool for controlling the init system.

sudo systemctl enable ssh

4. Start service and check running state.

sudo systemctl start ssh 
sudo systemctl status ssh

5. Test SSH

From another computer on the network use `ssh user@serverip`

ssh user@10.0.2.15

Enter the user’s password.

Congratulations you’ve installed ssh server and logged in.

The next step is to secure it.

‘Securing’ SSH Server.

We will ‘secure’ SSH by implementing the following steps.

• Changing default ssh port
• Disable ssh root login.
• Using ssh key pair in place of a password.
• Disable password-based logins.

**Disclaimer**

Implementing the above steps does NOT mean you’re ‘hackproof’.

Most of them will stop ‘low-level’ malicious actors.

a) Changing default ssh port

By changing the default port we’re implementing security through obscurity. Attackers are known to have bots scanning machines on the internet looking for services running on default ports then trying known and/or 0-day attacks on them. By having a service on a non-default port chances of the having the service attacked using a specific attack vector are less. For a targeted attack, this will do little to deter the attacker as they will still scan your machine and find the service.

To change the default port edit `/etc/ssh/sshd_config` file.

sudo vim /etc/ssh/sshd_config

2. Uncomment line 13 by removing the pound (#) symbol then change `22` to any number between 1 to 65535. Don’t use ports that are in use by other services.

3. Save the file.

4. Add the new ssh port to ufw rules.

sudo ufw allow 2255

sudo ufw enable

5. Restart ssh service.

6. Test the configuration by passing the -p argument to specify the port.

ssh user@10.0.2.15 -p 2255

b) Disable ssh root login.

According to MY experience, the only advantage of this is “slowing” down attackers using a password brute force attack.

To disable this edit `/etc/ssh/sshd_config` file.

1. Open the file with a text editor of choice.

2. change line 32 from `permitRootLogin yes` to ` permitRootLogin no` .

sudo vim /etc/ssh/sshd_config

3. Save the file and restart ssh service.

c) Using ssh key pairs in place of a password.

ssh-keygen -b 4096

Enter a secure passphrase that will be used in the authentication.

2. Copy ssh public key to the remote server.

cat ~/.ssh/id_rsa.pub | ssh user@10.0.2.15 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys"

3. Test configuration by passing the `-i` argument to specify the ssh secret key identity.

ssh user@10.0.2.15 -p 2255 -i ~/.ssh/id_rsa

When using ssh key pairs it is assumed that:

• the secret key is not compromised.
• the passphrase used is secure.

d) Disable password-based logins.

sudo vim /etc/ssh/sshd_config

2. Change line 56 from ` PasswordAuthentication yes` to ` PasswordAuthentication no `

3. Save the file and restart ssh service.

Conclusion.

There is more to setting up an ssh server than the above. The steps above are enough for a basic setup.

References.

• https://www.ssh.com/academy/ssh/protocol
• https://ubuntu.com/server/docs/serviceopenssh
• https://askubuntu.com/questions/222348/whatdoessudoaptgetupdatedo
• https://www.digitalocean.com/community/tutorials/howtousesystemctltomanagesystemdservicesandunits
• https://phoenixnap.com/kb/linuxsshsecurity

Originally published at https://www.linkedin.com.