SSH is a network protocol that works in a console. The most commonly used SSH client is PuTTY. The image below shows an established SSH session. It is easy to use and quick. Most IT professionals manage the entire network solely via SSH because of the security and the quick, easy access to perform administrative and management tasks on the server. The entire session in SSH is encrypted. The major protocols for SSH are SSH1/SSH-1 and SSH2/SSH-2. SSH-2 is the latter one, more secure than SSH-1. A Linux OS has a built-in utility called Terminal to access the console, and a Windows machine requires an SSH client (e.g. PuTTY).
Accessing a Remote Host Using SSH.
To access a remote host/machine using SSH, you will need to have the following:
a) PuTTy (Free SSH Client)
b) SSH Server Username
c) SSH Server Password.
d)The SSH port is usually 22, but since 22 is the default, it should be changed to a different port to avoid attacks on this port.
In a Linux machine, the username ‘root’ is the administrator by default and possesses all the administrative rights.
In Terminal, the following command will initiate a connection to the server.
ssh root@192.168.1.1
Where ‘root’ is the username, and ‘192.168.1.1’ is the host address.
This is what the terminal looks like:
Your commands will be typed after the $ symbol. For help with any command in terminal/putty, use the syntax:
Man uses SSH.
Man commands.
man, followed by any command will return on-screen command guidance
So what i am going to do now, is SSH using PuTTy into my Debian OS running on VMWare.
But before I do that, I need to enable SSH by logging into my VM Debian. If you have just purchased a server from a hosting company, you can request them to enable SSH for you.
To enable ssh, use
sudo /etc/init.d/ssh restart
Since i am using Ubuntu, and ssh was not installed, so
To install ssh use these commands
sudo apt-get install openssh-client
sudo apt-get install openssh-server
And, here’s what I’ve got: logged in to SSH via PuTTy.
Now, this is what it takes to set up SSH and establish a session via PuTTY. Below, I will address some basic advanced features that will gradually give you a more comprehensive view of the whole scenario.
The default ssh configuration file is located at: /etc/ssh/sshd_config
To view the configuration file use: cat /etc/ssh/sshd_config
To edit the configuration file use: vi /etc/ssh/sshd_config or nano /etc/ssh/sshd_config
After editing any file, use CTRL + X and press the Y key to save and exit the nano editor.
The SSH port can be changed from the configuration file; the default port is 22. The basic commands, such as cat, vi, and nano, will work for other tasks as well. To learn more about specific commands, use Google Search.
If you make any changes to any configuration file, then a restart is required for that service. Moving further, let’s assume we now wish to change our port. What we’re going to do is edit the sshd_config file, and I would use.
nano /etc/ssh/sshd_config
You must be logged in as an admin, or use sudo nano /etc/ssh/sshd_config to edit the file. After it has been edited, restart the SSH service using sudo /etc/init.d/ssh restart.
If you are changing a port, be sure to allow it in your iptables if you are using the default firewall.
/etc/rc.d/init.d/iptables save
Query the iptables to confirm whether the port is open.
iptables -nL | grep 5000
There are several directives in the configuration file, as discussed earlier; there are two protocols for SSH (1 and 2). If it is set to 1, change it to 2.
Below is a bit of my configuration file:
# Package generated configuration file
# See the sshd_config(5) man page for details.
# Which ports, IPs, and protocols do we listen for?
Port 5000 replaced port number 22. # Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2 replaced Protocol 1 with Protocol 2.
Don’t forget to restart the service after making changes.
Root is the administrator, and it is recommended that it be disabled. Otherwise, if you are open to remote connections, you may become subject to a brute force attack or other SSH vulnerabilities. Linux servers are the most loved boxes by hackers. The directive ‘LoginGraceTime‘ sets up a time limit for the user to log in and authenticate. If the user doesn’t authenticate within the time limit, then the connection closes. It is best to leave that setting at its default value.
Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
A super cool feature is the Key Authentication (PubkeyAuthentication) – This feature allows you to set up key-based authentication only, as seen with Amazon EC3 servers. You can access the server only using your private key, making it highly secure. In order for this to work, you need to generate a key pair, add the private key to your remote machine, and add the public key to the server so that it can be accessed using that key.
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
RSAAuthentication yes
PasswordAuthentication no
This will deny any password and will only allow users access with a key.
In a professional network, you would usually inform your users about what they are allowed to do and what they are not, along with any other necessary information.
The configuration file to edit for banners is: /etc/motd
To open the file in editor, type: nano /etc/motd or sudo /etc/motd
Edit the file, just as you would in Notepad.
You can also place the banner in a file and reference it in the /etc/motd.
For example, “nano banner.txt” will create a “banner.txt” file and immediately open up the editor.
Edit the banner, and use Ctrl + X / Y to save it. Then, reference it in the MOTD file.
Display the banner.txt file located at /home/users/appualscom/ or any other file path, as applicable.
Just like the banner, you can also add a message before the login prompt. The file for editing is /etc/issue.
SSH Tunneling
SSH tunneling allows you to route the traffic from your local machine to a remote machine. It is created using SSH protocols and is encrypted.
Graphical Session over SSH Tunnel.
X11Forwarding yes
On the client’s end the command would be:
ssh -X root@10.10.10.111
You can run programs like Firefox, etc., by using simple commands. firefox
If you encounter a display error, please set the address: export DISPLAY=IPaddressofmachine
TCP Wrappers
If you wish to allow selected hosts and deny others, then these are the files you need to edit.
1. /etc/hosts.allow
2. /etc/hosts.deny
To allow a few hosts
sshd: 10.10.10.111
To block everyone from accessing your server via SSH, add the following line to the /etc/hosts.deny file: sshd: ALL
SCP – Secure Copy Protocol.
SCP – Secure Copy is a file transfer utility. You will need to use the following command to copy/transfer files over SSH.
The command below will copy “myfile” to /home/user2 on 10.10.10.111. scp /home/user/myfile root@10.10.10.111:/home/user2
scp source destination syntax
To copy a folder
scp –r /home/user/myfolder roor@10.10.10.111:/home/user2
Searching for Files on a Remote Machine
It is very easy to search for files on a remote machine and view the output on your system. To search for files on a remote machine:
The command will search in the /home/user directory for all *.jpg files; you can experiment with it. The ‘find / -name’ command will search the entire / root directory.
SSH Additional Security
Iptables allows you to set time-based limitations. The commands below will block the user for 120 seconds if they fail to authenticate. You can use the /second, /hour, /minute, or /day parameter in the command to specify the period.
iptables -A INPUT -p tcp -m state –syn –state NEW –dport 22 -m limit –limit 120/second –limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp -m state –syn –state NEW –dport 5000 -j DROP
5000 is the port, change it as per your settings.
Allowing authentication from a specific IP
iptables -A INPUT -p tcp -m state –state NEW –source 10.10.10.111 –dport 22 -j ACCEPT
Other useful commands
Attach a screen over SSH
ssh -t root@10.10.10.111 screen –r
SSH Transfer Speed Check
yes | pv | ssh $root@10.10.10.111 “cat > /dev/null”