I. Installation OpenSSH
Install on Ubuntu client:
sudo apt install openssh-clientInstall OpenSSH on server in VirtualBox:
sudo apt install openssh-server
II. Inspect OpenSSH
Basic checking command OpenSSH:
sudo systemctl start ssh sudo systemctl stop ssh sudo systemctl restart ssh sudo systemctl status sshInstall Netstat:
sudo apt install net-toolsRun command below for showing all port connection:
sudo netstat -tulpnSample result OpenSSH listening to port 22:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 901/sshd tcp6 0 0 :::22 :::* LISTEN 901/sshdShowing OpenSSH running in background service:
sudo systemctl status sshdSample result:
● sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2020-10-17 12:19:22 EDT; 12min ago Docs: man:sshd(8) man:sshd_config(5) Main PID: 901 (cups-browsed) Tasks: 1 (limit: 5029) Memory: 388.0K CGroup: /system.slice/sshd.service └─901 /usr/sbin/sshd -D Okt 17 12:19:22 centos-server1 systemd[1]: Starting OpenSSH server daemon.. Okt 17 12:19:22 centos-server1 sshd[901]: Server Listening on 0.0.0.0 port 22 Okt 17 12:19:22 centos-server1 sshd[901]: Server Listening on :: port 22 Okt 17 12:19:22 centos-server1 systemd[1]: Started OpenSSH server daemon..
III. Running a Connection Using OpenSSH
Showing Computer Server IP address:
ip aSample result:
... 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:bb:05:6f brd ff:ff:ff:ff:ff:ff inet 192.168.100.43/24 brd 192.168.100.255 scope global dynamic noprefixroute enp0s3 valid_lft 86381sec preferred_lft 86381sec inet6 fe80::cbbb:ec2:218b:2b99/64 scope link noprefixroute valid_lft forever preferred_lft forever ...Connecting with command below in Computer Client:
ssh user@ipaddressSample result:
ssh person1@192.168.100.43 person1@192.168.100.43's password: Activate the web console with: systemctl enable --now cockpit.socket Last login: Sun Oct 18 01:46:31 2020 [person1@centos-server1 ~]$Notes:
useris username that has been created on the server (usually at the time of linux installation we have created one user).ipaddressis Computer IP address server.- So far, we have been able to log into the server. We can check it by creating a file with
touch testfileand see on the server whether the file exists or not. - We can also use
hostnameto log in with SSH command if it is set.
If we want to connect and see debug information if at some point we can’t connect with SSH to the server by:
ssh -v ipaddressSample result:
... debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /home/helmiz/.ssh/id_dsa debug1: Trying private key: /home/helmiz/.ssh/id_ecdsa debug1: Trying private key: /home/helmiz/.ssh/id_ecdsa_sk debug1: Trying private key: /home/helmiz/.ssh/id_ed25519 debug1: Trying private key: /home/helmiz/.ssh/id_ed25519_sk debug1: Trying private key: /home/helmiz/.ssh/id_xmss debug1: Next authentication method: password ...Notes:
- It can be seen that the server is accessed by checking
publickeyfirst topassword.
- It can be seen that the server is accessed by checking
We can connect with a different port if the Computer Server port is changed (default 22) by:
ssh ipaddress -p portNumber
IV. Simple Configuration
The place to save the client configuration is in the
.sshdirectory. The directory is created when the Computer Client connects to the Computer Server.ls -laSample result:
drwx------ 2 helmiz helmiz 4096 Okt 17 12:53 .sshNotes:
- Inside the directory there will be a
known_hostfile which is used to store the fingerprint of the machine we are connecting to. So that if we connect to the same server machine we are not asked to Confirm the Fingerprint again.
- Inside the directory there will be a
The Computer Server configuration is located in the
/etc/ssh/sshd_configdirectory::sudo nano /etc/ssh/sshd_configNotes:
Port: Changing the port number can increase the security of automatic BOTS from the Internet.PermitRootLogin: Root login access makenoso that other people cannot log in as Root. The exception is if we access to a VPS or Cloud Server that provides Root Login.PasswordAuthentication: Use a password to enter the server which we will change tonolater. So access can only use public key authentication.AllowUsers: Users who can only access the server. ExampleAllowUsers azam21 rahmah93 nindi11means only those three people can access the server.AllowGroups: It’s easier thanAllowUsersbecause we write by user group. ExampleAllowGroups sshusers admin.
Don’t forget to restart SSH after configuring:
sudo systemctl restart sshd
V. Detecting SSH Problems
if Computer Client cannot connect to the Computer Server so we can use the command below:
ssh -v user@ipaddressThe method above does not provide detailed information. Alternatively we can check logs on the server by:
# Ubuntu cat /var/log/auth.log # follow realtime tail -f /var/log/auth.log # Redhat cat /var/log/secure # follow realtime tail -f /var/log/secure
VI. Public Key Authentication
We can create a Public key that is used as an authentication method. We can generete key with:
ssh-keygenNotes:
Passphrase: Encrypt key in Local Machine.- There are two files in the
.sshdirectory namelyid_rsais the private key that must be hidden andid_rsa.pubis the public key to be broadcast to Other Machines.
We can give our public key to the server to establish a relationship between the server and client by:
ssh-copy-id -i ~/.ssh/id_rsa.pub user@ipaddressNotes:
- By making a public key link, we no longer need to write down passwords repeatedly.
If we want to generate a new key to the Computer Server, then we have to delete the old key in the
authorized_keysfile on the Computer Server. The file contains all the public keys stored on the server:nano .ssh/authorized_keysWe can not allow users to enter the server using authentication with a password thereby increasing security:
# File sudo nano /etc/ssh/sshd_config # Baris PasswordAuthentication no
VII. Secure Copy Protocol (SCP)
Used to send files using SSH. Here are some required configurations:
Send from Computer Client file
nameFileto Computer Server indirdirectory:scp nameFile ipaddress:/home/dir -P 22Sample result:
$ scp wallpaper.jpg person1@192.168.100.44:/home/person1/ person1@192.168.100.44's password: wallpaper.jpg 100% 2251KB 22.0MB/s 00:00Transfer directory with recursive:
scp -r dirName ipaddress:Sample result:
$ scp -r mydir person1@192.168.100.44: person1@192.168.100.44's password: wallpaper.jpg 100% 2251KB 19.7MB/s 00:00Notes:
- If you don’t type a path, the default path is the user home directory
Take the file that is on Computer Server (pull):
scp -r ipaddress:dir .Sample result:
$ scp -r person1@192.168.100.44:mydir . person1@192.168.100.44's password: wallpaper.jpg 100% 2251KB 34.6MB/s 00:00Note:
.: A copy to the path where we are.
VIII. SSH File System (SSHFS)
Installation:
sudo apt install sshfsNext, create a local directory that will be attached to the server directory and do mount by:
sshfs ipaddress:/server_directory client_directory/Example:
sshfs person1@192.168.100.44:/home/person1/mydir-server mydir-client/We can check the contents of the server directory every two seconds with the command:
watch ls dirName/You can disconnect with this command:
fusermount -u /home/dirName
IX. Improve OpenSSH Security on Cloud Instances
In this tutorial we will use Ubuntu Server.
1. Disable Root Login
Log in to Cloud Instance. Create two tabs for access if there is an error we have another Session tab.
ssh root@ipAddressCreate new User in the Cloud Instance.
adduser userName # Add sudo to userName in Ubuntu usermod -aG sudo userNameDisable Root Login:
sudo nano /etc/ssh/sshd_config # Change to PermitRootLogin no # Restart SSH sudo systemctl restart ssh
2. Disable Password Authentication
Create Public key and Private key in Local Computer:
ssh-keygen # Insert the PassphraseCopy public key to Cloud Instance:
ssh-copy-id -i ~/.ssh/id_rsa.pub userName@ipAddressTurn of the Password Authentication:
sudo nano /etc/ssh/sshd_config # Change to PasswordAuthentication noRestart SSH
sudo systemctl restart ssh
3. Change SSH Port
Log in to Cloud Instance and change Port number:
sudo nano /etc/ssh/sshd_config # Change default Port here Port 22Log in to Cloud Instance with:
ssh -p portNumber userName@ipAddress # if we use SCP scp -P portNumberRestart SSH
sudo systemctl restart ssh
4. Restrict User
Log in to Cloud Instance and add code below:
sudo nano /etc/ssh/sshd_config # Add only user AllowUsers userNameRestart SSH
sudo systemctl restart ssh
5. Restrict IP
If our IP does not change (static) depending on the provider, it is highly recommended to limit the IP that goes to the server with SSH.
6. Troubleshooting
To see problems that occur in SSH, you can check the logs on the server with:
sudo cat /var/log/auth.log
# display interactively,
# we can make the delimiter by pressing enter as much as possible
tail -f /var/log/auth.log
Bibliography
- LaCroix, Jeremy. 2019. Getting started with OpenSSH. (accessed on October, 19 2020).