Tutorial: Setting up SSH on your LinuxBox
This tutorial will show you how to setup your LinuxBox so it accepts SSH connections. This will allow you to maintain / access your server from another client. Inside or Outside your Local Area Network. You can have your servers terminal in front of you as you were sitting at your own linuxBox.
I advise you to start off with …
1. A strong Password
One of the things you’ll notice if you have ssh running and exposed to the outside world is that you’ll probably log attempts by hackers to guess your username/password. Typically a hacker will scan for port 22 (the default port on which ssh listens) to find machines with ssh running, and then attempt a brute-force attack against it. With strong passwords in place, hopefully any attack will be logged and noticed before it can succeed.
2. Get into our working directory and the file to edit.
To get started open a terminal window and change directory’s to /etc/ssh
[vossn@Linuxbox ~] cd /etc/ssh
List the contents of /etc/ssh with the “ls -l” command
[vossn@Linuxbox ssh ] ls -l
You will find a sshd_config file, open this file with vi or nano.
[vossn@Linuxbox ssh] vi sshd_config
The contents of the sshd_conf file will be displayed in the terminal.
3. Disable root Logins
Okay, you have the sshd_config file opened in a text editor. You should start off by disabling root logins. To do so, Add these lines to the sshd_config file.
# Prevent Root Logins
Then save and exit the config file. And restart the SSHD service.
[vossn@Linuxbox ~] service sshd restart
Doing this step will make sure that a hacker cannot succesfully use “Root” as user to login. Since this is the only user they are really sure of beeing there. They have to guess for your other users. Making it significantly more difficult for an intruder.
4. Limit User Logins
SSH logins can be limited to only certain users who need remote access. If you have many user accounts on the system then it makes sense to limit remote access to only those that really need it thus limiting the impact of a casual user having a weak password. To add users to this list add an AllowUsers line followed by a space separated list of usernames to /etc/ssh/sshd_config.
Extra lines to add:
# SSH Allowed Users
AllowUsers Thomas user2 user3
Exit out of the sshd_config file and restart the sshd service.
5. Make sure you are using the last Protocol.
SSH has two protocols it may use, protocol 1 and protocol 2. The older protocol 1 is less secure and should be disabled. Look for the following line in the /etc/ssh/sshd_config file.
Uncomment it and amend as shown below:
# Protocol 2,1
Exit out of the sshd_config file and restart the sshd service
6. Use a Non-Standard Port
By default, ssh listens for incoming connections on port 22. For a hacker to determine ssh is running on your machine, he’ll most likely scan port 22 to determine this. An effective method is to run ssh on a non-standard port. Any unused port will do, although one above 1024 is preferable. To make the change, add a line like this to your /etc/ssh/sshd_config file:
# Run ssh on a non-standard port:
Port 2345 #Change me
Then Restart the sshd service. Double check your firewall and router to make sure the required ports are open there aswell.
Note 1: Don’t pick obvious ones like 2222, Take something different. And note it down somewhere if you can’t remember.
Note 2: Don’t forget to make the changes needed to port forwarding in your home router or firewall. Also when connecting to your linuxbox from another host, You will need to specify the port number you used here.
You should now be able to connect to your servers ip address with applications such as Putty or MS DOS. The server will prompt you to enter username and password for your user. Enter these and you should be presented with the terminal from your server!
This is a pretty basic install of SSH, You can harden it alot more. For that I advise you to keep an eye on the centOS wiki pages.
Questions? Stuck? You can always leave a comment. I’ll get back to you in the next few days.