SSH is a network protocol which works in a console. The most commonly used SSH client is PuTTy. The image below shows an established SSH session. It is easy to use, and quick. Most IT Professional’s manage the entire network solely via SSH because of the security, and the quick/easy access to perform administrative and management tasks on the server. The entire session in SSH is encrypted – The major protocols for SSH are SSH1/SSH-1 and SSH2/SSH-2. SSH-2 is the latter one, more secure then SSH-1. A Linux OS has a built in utility called Terminal to access console and a windows machine requires a SSH Client (eg. PuTTy).
Accessing A Remote Host Using SSH
To access a remote host/machine using SSH, you will need to have the following:
a) PuTTy (Free SSH Client)
b) SSH Server Username
c) SSH Server Password
d) SSH Port which is usually 22 but since 22 is default, it should be changed to a different port to avoid attacks on this port.
In a Linux Machine, the username root is the administrator by default and contains all the administrative rights.
In Terminal, the following command will initiate a connection to the server.
where, root is the username, and 192.168.1.1 is the host address
This is how the terminal looks like:
Your commands will be typed after the $ symbol. For help with any command in terminal/putty, use the syntax:
man, followed by any command will return on-screen command guidance
So what i am going to do now, is SSH using PuTTy into my Debian OS running on VMWare.
But before i do that, i need to enable SSH by logging into my my VM Debian – If you have just purchased a server from a hosting company, then you can request them to enable SSH for you.
To enable ssh, use
sudo /etc/init.d/ssh restart
Since i am using Ubuntu, and ssh was not installed, so
To install ssh use these commands
sudo apt-get install openssh-client
sudo apt-get install openssh-server
And, here’s what i’ve got, logged in to SSH via PuTTy:
Now this is what it takes to setup SSH and establish a session via PuTTy – Below, i will address some basic advanced features that will slowly start to give you a greater view of the whole scenario.
The default ssh configuration file is located at: /etc/ssh/sshd_config
To view the configuration file use: cat /etc/ssh/sshd_config
To edit the configuration file use: vi /etc/ssh/sshd_config or nano /etc/ssh/sshd_config
After editing any file, use CTRL + X and hit Y key to save and exit it (nano editor)
The SSH port can be changed from the configuration file, default port is 22. The basic commands, cat, vi and nano will work for other stuff as well. To learn more about commands specifically, use Google Search.
If you make any changes to any configuration file, then a restart is required for that service. Moving further, let’s assume we now wish to change our port, so what we’re going to do is edit the sshd_config file, and i would use
You must be logged in as admin, or use sudo nano /etc/ssh/sshd_config to edit the file. After it has been edited, restart the ssh service, sudo /etc/init.d/ssh restart
If you are changing a port, be sure to allow it in your IPTABLES, if you are using the default firewall.
Query the iptables to confirm if port is open
iptables -nL | grep 5000
There are several directives in the configuration file, as discussed earlier, there are two protocols for SSH (1 & 2). If it is set to 1, change it to 2.
Below is a bit of my configuration file:
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 5000 replaced number 22 with port
# Use these options to restrict which interfaces/protocols sshd will bind to
Protocol 2 replaced protocol 1 with 2
don’t forget to restart the service after making changes
Root is the administrator, and it is recommended that it must be disabled, otherwise if you are open to remote connections, you may become a subject of a brute force attack or other ssh vulnerabilities – Linux servers, are the most loved boxes by hackers, the directive LoginGraceTime, sets up a time limit for user to login and authenticate, if the user doesn’t, then the connection closes – leave that to default.
A super cool feature, is the Key authentication (PubkeyAuthentication) – This feature allows you to setup only key based authentication, as we see with Amazon EC3 servers. You can only access the server using your private key, it is highly secure. In order for this to work, you would need to generate a key pair and add that private key to your remote machine, and add the public key to the server so that it can be accessed using that key.
This will deny any password, and will only allow users access with a key.
In a professional network, you would usually be informing your users what they are allowed to do and what not, and any other necessary information
The configuration file to edit for banners is: /etc/motd
To open the file in editor, type: nano /etc/motd or sudo /etc/motd
Edit the file, just as you would do in notepad.
You can also place the banner in a file and reference it in the /etc/motd
eg: nano banner.txt will create a banner.txt file and immediately open up the editor.
Edit the banner, and ctrl + x / y to save it. Then, reference it in the motd file using
Banner /home/users/appualscom/banner.txt OR whatever, the file path is.
Just like the banner, you can also add a message before the login prompt, the file for editing is /etc/issue
SSH Tunneling allows you to tunnel the traffic from your local machine to a remote machine. It is created through SSH protocols and is encrypted. Check out the article on SSH Tunneling
Graphical Session Over SSH Tunnel
On the client’s end the command would be:
ssh -X email@example.com
You can run program like firefox, etc by using simple commands:
If you get a display error, then set the address:
If you wish to allow selected hosts and deny some, then these are the files you need to edit
To allow a few hosts
To block everyone from sshing into your server, add the following line in /etc/hosts.deny
SCP – Secure Copy
SCP – secure copy is a file transfer utility. You will need to use the following command to copy/transfer files over ssh.
command below will copy myfile to /home/user2 on 10.10.10.111
scp /home/user/myfile firstname.lastname@example.org:/home/user2
scp source destination syntax
To copy a folder
scp –r /home/user/myfolder email@example.com:/home/user2
Searching For Files On A Remote Machine
It is very easy to search for files on a remote machine and view the output on your system. To search files on a remote machine
The command will search in /home/user directory for all *.jpg files, you can play with it. find / -name will search the entire / root directory.
SSH Additional Security
iptables allows you to set time based limitations. The commands below will block the user for 120 seconds if they fail to authenticate. You can use /second /hour /minute or /day parameter in the command to specify the period..
iptables -A INPUT -p tcp -m state –syn –state NEW –dport 22 -m limit –limit 120/second –limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp -m state –syn –state NEW –dport 5000 -j DROP
5000 is the port, change it as per your settings.
Allowing authentication from a specific IP
iptables -A INPUT -p tcp -m state –state NEW –source 10.10.10.111 –dport 22 -j ACCEPT
Other useful commands
Attach a screen over SSH
ssh -t firstname.lastname@example.org screen –r
SSH Transfer Speed Check
yes | pv | ssh $email@example.com “cat > /dev/null”