Parent page: Internet and Networking >> SSH

Installing the OpenSSH Server

If you want to securely connect to your machine from a remote computer, even a computer running another operating system like Mac OS or Windows, then you need to install the following package: openssh-server.

Configuration

Once you have installed the SSH server, you will need to configure it by editing the sshd_config file in the /etc/ssh directory.

IconsPage/tip.png

sshd_config is the configuration file for the OpenSSH server. ssh_config is the configuration file for the OpenSSH client. Make sure not to get them mixed up.

First, make a backup of your sshd_config file by copying it to your home directory, or by making a read-only copy in /etc/ssh by doing: 

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
sudo chmod a-w /etc/ssh/sshd_config.factory-defaults

Creating a read-only backup in /etc/ssh means you'll always be able to find a known-good configuration when you need it.

Once you've backed up your sshd_config file, you can make changes with any text editor (sudo gedit /etc/ssh/sshd_config runs the standard text editor). Once you've made your changes, you can apply them by saving the file then doing: 

sudo /etc/init.d/ssh restart

Suggested OpenSSH Server Settings

The default /etc/ssh/sshd_config which is used with Ubuntu's OpenSSH implementation is more secure than that found in many other distributions of GNU/Linux, but there are changes which can enhance this level of security even further, and those changes are suggested here. Some of these changes may not be suitable to your particular situation. Use the settings which offer the best trade-off between security, and usability for your situation.

Start sshd on a Different Listening Port

Because a lot of people with SSH servers use weak passwords, many online attackers will look for an SSH server, then start guessing passwords at random. An attacker can try thousands of passwords in an hour, and the recommended long-term solution is to disable passwords altogether. However, you can get a limited amount of security by using strong passwords, and listening for connections on a non-standard port.

Most SSH servers listen on port number 22, so most scanners only look on that port. By using a different port, you can hide your SSH server from most scanners. This is a type of "security by obscurity" - a trick that can improve your security a little bit for a little while, but which shouldn't be relied upon as your primary security system.

Using a non-standard port has another problem: you always need to tell your SSH client which non-standard port to use. See below for details on how to do this for the OpenSSH client.

To change the port that your SSH server listens on, first pick a number between 1,024 and 49,152 (Wikipedia explains why those numbers are special). Then add that port to your sshd_config file. For example, to listen to port number 2,222:

Port 2222

You can have as many Port lines as you like, but it's considered good practice to keep them all together. You should make sure to comment out (or delete) the Port line that was originally in the file, to make your server stops listening on that port. So to listen on port 2,222 only, the relevant part of your sshd_config file should look like this:

# Port 22

Port 2222

Don't forget you need to save the file, then restart your sshd, before your changes will take effect.

Logging

By default, the OpenSSH server logs to the AUTH facility of syslog, at the INFO level. It can be very informative to increase the logging level to VERBOSE for a week, then see how many spurious attempts have been made to access your computer. To increase the level, find the following line:

LogLevel INFO

and changing it to this:

LogLevel VERBOSE

Now all the details of ssh login attempts will be saved in your /var/log/auth.log file.

If you have started using a different port, or if you think your server is well-enough hidden not to need much security, it's recommended to increase your logging level, then examine your auth.log file every so often. If you find a significant number of spurious login attempts, then your computer is under attack, and you need more security.

Testing the server

Once you have configured the server, save your changes and restart it, then do: 

ssh localhost

You should be prompted to type your password, and you should get another command-line when you type your password in. If this works, then your SSH server is listening on the standard SSH port. If you have set your computer to listen on a non-standard port, then you will need to go back and comment out (or delete) a line in your configuration that reads Port 22. Otherwise, your SSH server has been configured correctly.

To leave the SSH command-line, type: 

exit

If you have set your computer to listen on a non-standard port, connect to it by doing: 

ssh -p <port-number> localhost

Remember to replace <port-number> with the port number you chose earlier on. If you are asked for a password, and get another command-line when you type it, then your SSH server has been configured correctly.

If you have a local network (such as a home or office network), try logging in from one of the other computers on your network. If nothing happens, you might need to tell your computer's firewall to allow connections on port 22 (or from the non-standard port of you chose earlier).

Finally, try logging in from another computer elsewhere on the Internet - perhaps from work (if your computer is at home) or from home (if your computer is at your work). If you can't access your computer this way, you might need to tell your router's firewall to allow connections from port 22, and might also need to configure Network Address Translation.

SSH/OpenSSH/InstallingConfiguringTesting (last edited 2013-12-13 18:43:05 by knome)