Your Guide To Using SSH

Kevin ArrowsUpdated on May 30, 2023
Kevin is a certified Network Engineer

SSH is a network protocol that works in a console. The most commonly used SSH client is PuTTY. The image below shows an established SSH session. It is easy to use and quick. Most IT professionals manage the entire network solely via SSH because of the security and the quick, easy access to perform administrative and management tasks on the server. The entire session in SSH is encrypted. The major protocols for SSH are SSH1/SSH-1 and SSH2/SSH-2. SSH-2 is the latter one, more secure than SSH-1. A Linux OS has a built-in utility called Terminal to access the console, and a Windows machine requires an SSH client (e.g. PuTTY).

putty

Accessing a Remote Host Using SSH.

To access a remote host/machine using SSH, you will need to have the following:

a) PuTTy (Free SSH Client)
b) SSH Server Username
c) SSH Server Password.
d)The SSH port is usually 22, but since 22 is the default, it should be changed to a different port to avoid attacks on this port.

In a Linux machine, the username ‘root’ is the administrator by default and possesses all the administrative rights.

In Terminal, the following command will initiate a connection to the server.

ssh root@192.168.1.1
Where ‘root’ is the username, and ‘192.168.1.1’ is the host address.

This is what the terminal looks like:

terminal

Your commands will be typed after the $ symbol. For help with any command in terminal/putty, use the syntax:

Man uses SSH.

Man commands.

man, followed by any command will return on-screen command guidance

So what i am going to do now, is SSH using PuTTy into my Debian OS running on  VMWare.

But before I do that, I need to enable SSH by logging into my VM Debian. If you have just purchased a server from a hosting company, you can request them to enable SSH for you.

To enable ssh, use
sudo /etc/init.d/ssh restart

Since i am using Ubuntu, and ssh was  not installed, so
To install ssh use these commands
sudo apt-get install openssh-client
sudo apt-get install openssh-server

And, here’s what I’ve got: logged in to SSH via PuTTy.

ssh

Now, this is what it takes to set up SSH and establish a session via PuTTY. Below, I will address some basic advanced features that will gradually give you a more comprehensive view of the whole scenario.

The default ssh configuration file is located at: /etc/ssh/sshd_config
To view the configuration file use: cat /etc/ssh/sshd_config
To edit the configuration file use: vi /etc/ssh/sshd_config or nano /etc/ssh/sshd_config

After editing any file, use CTRL + X and press the Y key to save and exit the nano editor.

The SSH port can be changed from the configuration file; the default port is 22. The basic commands, such as cat, vi, and nano, will work for other tasks as well. To learn more about specific commands, use Google Search.

If you make any changes to any configuration file, then a restart is required for that service. Moving further, let’s assume we now wish to change our port. What we’re going to do is edit the sshd_config file, and I would use.

nano /etc/ssh/sshd_config

port-ssh

You must be logged in as an admin, or use sudo nano /etc/ssh/sshd_config to edit the file. After it has been edited, restart the SSH service using sudo /etc/init.d/ssh restart.

If you are changing a port, be sure to allow it in your iptables if you are using the default firewall.

iptables -I INPUT -p tcp –dport 5000 -j ACCEPT
/etc/rc.d/init.d/iptables save

Query the iptables to confirm whether the port is open.

iptables -nL | grep 5000

There are several directives in the configuration file, as discussed earlier; there are two protocols for SSH (1 and 2). If it is set to 1, change it to 2.

Below is a bit of my configuration file:

# Package generated configuration file
# See the sshd_config(5) man page for details.

# Which ports, IPs, and protocols do we listen for?
Port 5000 replaced port number 22.                                                                                                                          # Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2 replaced Protocol 1 with Protocol 2.

Don’t forget to restart the service after making changes.

Root is the administrator, and it is recommended that it be disabled. Otherwise, if you are open to remote connections, you may become subject to a brute force attack or other SSH vulnerabilities. Linux servers are the most loved boxes by hackers. The directive ‘LoginGraceTime‘ sets up a time limit for the user to log in and authenticate. If the user doesn’t authenticate within the time limit, then the connection closes. It is best to leave that setting at its default value.

Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

A super cool feature is the Key Authentication (PubkeyAuthentication) – This feature allows you to set up key-based authentication only, as seen with Amazon EC3 servers. You can access the server only using your private key, making it highly secure. In order for this to work, you need to generate a key pair, add the private key to your remote machine, and add the public key to the server so that it can be accessed using that key.

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
RSAAuthentication yes
PasswordAuthentication no

This will deny any password and will only allow users access with a key.

 In a professional network, you would usually inform your users about what they are allowed to do and what they are not, along with any other necessary information.

The configuration file to edit for banners is: /etc/motd
To open the file in editor, type: nano /etc/motd or sudo /etc/motd

Edit the file, just as you would in Notepad.

You can also place the banner in a file and reference it in the /etc/motd.

For example, “nano banner.txt” will create a “banner.txt” file and immediately open up the editor.

Edit the banner, and use Ctrl + X / Y to save it. Then, reference it in the MOTD file.

Display the banner.txt file located at /home/users/appualscom/ or any other file path, as applicable.

Just like the banner, you can also add a message before the login prompt. The file for editing is /etc/issue.

SSH Tunneling

SSH tunneling allows you to route the traffic from your local machine to a remote machine. It is created using SSH protocols and is encrypted.

Graphical Session over SSH Tunnel.

Enable the graphical/gui session by uncommenting the following line
X11Forwarding yes

On the client’s end the command would be:
ssh -X root@10.10.10.111

You can run programs like Firefox, etc., by using simple commands.                                                                firefox

If you encounter a display error, please set the address:                                                                                     export DISPLAY=IPaddressofmachine:0.0

TCP Wrappers

If you wish to allow selected hosts and deny others, then these are the files you need to edit.

1. /etc/hosts.allow
2. /etc/hosts.deny

To allow a few hosts

sshd: 10.10.10.111

To block everyone from accessing your server via SSH, add the following line to the /etc/hosts.deny file:         sshd: ALL

SCP – Secure Copy Protocol.

SCP – Secure Copy is a file transfer utility. You will need to use the following command to copy/transfer files over SSH.

The command below will copy “myfile” to /home/user2 on 10.10.10.111.                                                          scp /home/user/myfile root@10.10.10.111:/home/user2
scp source destination syntax

To copy a folder
scp –r /home/user/myfolder roor@10.10.10.111:/home/user2

Searching for Files on a Remote Machine

It is very easy to search for files on a remote machine and view the output on your system. To search for files on a remote machine:

ssh root@10.10.10.111 “find /home/user –name ‘*.jpg’”

The command will search in the /home/user directory for all *.jpg files; you can experiment with it. The ‘find / -name’ command will search the entire / root directory.                                                                                       

SSH Additional Security

Iptables allows you to set time-based limitations. The commands below will block the user for 120 seconds if they fail to authenticate. You can use the /second, /hour, /minute, or /day parameter in the command to specify the period.

Time Based Limits
iptables -A INPUT -p tcp -m state –syn –state NEW –dport 22 -m limit –limit 120/second –limit-burst 1 -j ACCEPT

iptables -A INPUT -p tcp -m state –syn –state NEW –dport 5000 -j DROP

5000 is the port, change it as per your settings.

Allowing authentication from a specific IP
iptables -A INPUT -p tcp -m state –state NEW –source 10.10.10.111 –dport 22 -j ACCEPT

Other useful commands

Attach a screen over SSH
ssh -t root@10.10.10.111 screen –r
SSH Transfer Speed Check
yes | pv | ssh $root@10.10.10.111 “cat > /dev/null”

Tags
Kevin ArrowsUpdated on May 30, 2023
Kevin is a certified Network Engineer
ABOUT THE AUTHOR
Photo of Kevin Arrows

Kevin Arrows


Kevin Arrows is a highly experienced and knowledgeable technology specialist with over a decade of industry experience. He holds a Microsoft Certified Technology Specialist (MCTS) certification and has a deep passion for staying up-to-date on the latest tech developments. Kevin has written extensively on a wide range of tech-related topics, showcasing his expertise and knowledge in areas such as software development, cybersecurity, and cloud computing. His contributions to the tech field have been widely recognized and respected by his peers, and he is highly regarded for his ability to explain complex technical concepts in a clear and concise manner.