Go to page content

Configuring and Securing SSH

How to configure SSH to communicate between your local computer and a remote aerver.

Contributed by: Lloyd R. Prentice

Why

Remote access for administration is essential for installing, configuring, enhancing and maintaining a Zotonic server.  This guide provides steps to ensure you have SSH available and explains how to effectively secure it to avoid many automated attacks.

Assumptions

  1. Ubuntu 11.04 or Debian Squeeze (will probably work on earlier releases as well)
  2. You have passwords and rights to access the remote server and passwords

How

Is SSH installed on both systems?

To confirm on local system:

~$ dpkg -l | grep ssh

You should see:

ii  libssh2-1                            0.18-1                     SSH2 client-side library
ii  openssh-blacklist                    0.4.1                      list of default blacklisted OpenSSH RSA and DSA keys
ii  openssh-blacklist-extra              0.4.1                      list of non-default blacklisted OpenSSH RSA and DSA keys
ii  openssh-client                       1:5.1p1-5                  secure shell client, an rlogin/rsh/rcp replacement
ii  openssh-server                       1:5.1p1-5                  secure shell server, an rshd replacement
ii  ssh                                  1:5.1p1-5                  secure shell client and server (metapackage)

Or, try this:

~$ ps aux | grep ssh

Expect:

root      7367  0.0  0.0  48868  1180 ?        Ss   14:09   0:00 /usr/sbin/sshd
<user>    7403  0.0  0.0   5164   776 pts/6    R+   14:23   0:00 grep ssh

To confirm on remote server:

You'll need url or ip address.

~$ ssh <user name>@url

where url is something like myserver.com

Or:

~$ ssh <user name>@<ip address>

where ip address is something like 123.45.6.78

Install SSH client and server

Obviously, if SSH is not install on the remote server, you'll need local access and a terminal.

From root:

# apt-get update
# apt-get install ssh

Establish an SSH connection to the remote server

~$ ssh <user name>@<url or ip address>

If asked for a password, enter it and you should see the remote shell prompt:

Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-generic i686)

* Documentation: https://help.ubuntu.com/ Last login: Fri Jun 3 13:51:14 2011 from reliance.local user@<remote>:~$

If you see connection refused, then it's likely that the remote server is security hardened and you'll either need local root access or help of the remote server administrator to discover how to connect.

Securing your SSH installation

Unless you take concerted efforts to secure your SSH installation, bad guys will be able take control of your system in heartbeat. And, if you're on the web, they will.

This is not a simple issue, so researching recent SSH security notes is well worth the time and effort.

But this might help you get started:

From root:

# vim /etc/ssh/ssh_config

First we'll change the port:

Scroll down to to # Port 22 and change to Port nnnnn where nnnnn is some five-digit number. Note that we've deleted the comment (#). Save. This is security by obscurity, but every rock in the road helps discourage the bad guys.

From now on out you'll need to connect remotely to your system this way:

~$ ssh -p nnnnn <user>@<url or ip address>

Next will specify protocol 2:

Change # Protocol 2,1 to Protocol 2. Save and close the editor.

Protocol 2 provides better security thant protocol 1.

Now we'll make some changes in /etc/ssh/sshd_conf

Open sshd_conf, change Port 22 to Port nnnnn where nnnnn is a randomly generated high port number.

How can I log into my remote server without using a password?

Step 1: Generate public and private keys

ssh-keygen

Step 2: Copy your public key to your remote server

ssh-copy-id -i ~/.ssh/id_rsa.pub remote-server

Step 3: Set restrictive permissions for .ssh

chmod -R go= ~/.ssh

Step 4: Add your SSH Key to the SSH Agent

ssh-add ~/.ssh/id_rsa

Step 5: Confirm

ssh remote-server

Resources

Also, review:

~$ man ssh
~$ man sshd

Troubleshooting

Getting Password Prompts or Authentication Failures

Check to see if you have ~/.ssh/id_rsa. If not, then you may need to run ssh-keygen and add to authorized_keys on the remote machine again.  This is a common issue with deploying SSH public key authentication when you use multiple machines.

If these troubleshooting steps don't solve your problems, then please provide any you have learned in the comments below or on the Zotonic Users Group.

This page is part of the Zotonic documentation, which is licensed under the Apache License 2.0.