Configuring and Securing SSH
How to configure SSH to communicate between your local computer and a remote aerver.
Contributed by: Lloyd R. Prentice
Remote access for administration is essential for installing, configuring, enhancing and maintaining a Zotonic server. This guide provides steps to ensure you have SSH available and explains how to effectively secure it to avoid many automated attacks.
- Ubuntu 11.04 or Debian Squeeze (will probably work on earlier releases as well)
- You have passwords and rights to access the remote server and passwords
Is SSH installed on both systems?
To confirm on local system:
~$ dpkg -l | grep ssh
You should see:
ii libssh2-1 0.18-1 SSH2 client-side library ii openssh-blacklist 0.4.1 list of default blacklisted OpenSSH RSA and DSA keys ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted OpenSSH RSA and DSA keys ii openssh-client 1:5.1p1-5 secure shell client, an rlogin/rsh/rcp replacement ii openssh-server 1:5.1p1-5 secure shell server, an rshd replacement ii ssh 1:5.1p1-5 secure shell client and server (metapackage)
Or, try this:
~$ ps aux | grep ssh
root 7367 0.0 0.0 48868 1180 ? Ss 14:09 0:00 /usr/sbin/sshd <user> 7403 0.0 0.0 5164 776 pts/6 R+ 14:23 0:00 grep ssh
To confirm on remote server:
You'll need url or ip address.
~$ ssh <user name>@url
where url is something like myserver.com
~$ ssh <user name>@<ip address>
where ip address is something like 18.104.22.168
Install SSH client and server
Obviously, if SSH is not install on the remote server, you'll need local access and a terminal.
# apt-get update # apt-get install ssh
Establish an SSH connection to the remote server
~$ ssh <user name>@<url or ip address>
If asked for a password, enter it and you should see the remote shell prompt:
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-generic i686)
* Documentation: https://help.ubuntu.com/ Last login: Fri Jun 3 13:51:14 2011 from reliance.local user@<remote>:~$
If you see connection refused, then it's likely that the remote server is security hardened and you'll either need local root access or help of the remote server administrator to discover how to connect.
Securing your SSH installation
Unless you take concerted efforts to secure your SSH installation, bad guys will be able take control of your system in heartbeat. And, if you're on the web, they will.
This is not a simple issue, so researching recent SSH security notes is well worth the time and effort.
But this might help you get started:
# vim /etc/ssh/ssh_config
First we'll change the port:
Scroll down to to # Port 22 and change to Port nnnnn where nnnnn is some five-digit number. Note that we've deleted the comment (#). Save. This is security by obscurity, but every rock in the road helps discourage the bad guys.
From now on out you'll need to connect remotely to your system this way:
~$ ssh -p nnnnn <user>@<url or ip address>
Next will specify protocol 2:
Change # Protocol 2,1 to Protocol 2. Save and close the editor.
Protocol 2 provides better security thant protocol 1.
Now we'll make some changes in /etc/ssh/sshd_conf
Open sshd_conf, change Port 22 to Port nnnnn where nnnnn is a randomly generated high port number.
How can I log into my remote server without using a password?
Step 1: Generate public and private keys
Step 2: Copy your public key to your remote server
ssh-copy-id -i ~/.ssh/id_rsa.pub remote-server
Step 3: Set restrictive permissions for .ssh
chmod -R go= ~/.ssh
Step 4: Add your SSH Key to the SSH Agent
Step 5: Confirm
~$ man ssh
~$ man sshd
Getting Password Prompts or Authentication Failures
Check to see if you have ~/.ssh/id_rsa. If not, then you may need to run ssh-keygen and add to authorized_keys on the remote machine again. This is a common issue with deploying SSH public key authentication when you use multiple machines.
If these troubleshooting steps don't solve your problems, then please provide any you have learned in the comments below or on the Zotonic Users Group.
This page is part of the Zotonic documentation, which is licensed under the Apache License 2.0.