I am having trouble installing openssh-server in Ubuntu. Particularly I want to know how to generate RSA public private key pair and the related concepts. What are the modifications to default config files most commonly applied? How to grant root permission to login? How to add firewall?
Asked
Active
Viewed 976 times
1 Answers
0
Go to terminal and type:
sudo su -
apt-get install openssh-server openssh-client
Test the installation
ps -A | grep sshd
If the output is something like this:
<some number> ? 00:00:00 sshd
Then ssh daemon is running.
Again type in terminal;
ss -lnp | grep sshd
If the output is something like this:
0 128 :::22 :::* users:(("sshd",16893,4))
0 128 *:22 *:* users:(("sshd",16893,3))
Then it means that ssh daemon is listening for incoming connections
Now we edit the configuration file. First we make a backup of the original file.
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
Now we open the configuration file to edit it
sudo vim /etc/ssh/sshd_config
Weak passwords are easy to guess. The best practice is to use SSH keys instead of password. So we disable password authentication altogether. Go to the line
#PasswordAuthentication yes
and replace it with
PasswordAuthentication no
Enabling forwarding gives more options to attackers who have already guessed passwords. So we disable it. It gives us a little security Go to the lines
AllowTcpForwarding yes
X11Forwarding yes
and replace them with
AllowTcpForwarding no
X11Forwarding no
We can explicitly allow certain users and deny certain users to login. For that we have to put the following lines at the bottom of the config file.
AllowUsers Fred Wilma
DenyUsers Dino Pebbles
For optimal performance of laptop we allow two pending connections. Between the third and tenth connection the system will start randomly dropping connections from 30% up to 100% at the tenth simultaneous connection. This can done by the following line
MaxStartups 2:30:10
To log more error and other useful information we alter the line
LogLevel INFO
into
LogLevel VERBOSE
To scare away novice attackers we can display a banner We remove the hash tag from the front of the line
#Banner /etc/issue.net
to make it
Banner /etc/issue.net
Then we go to terminal and type:
sudo -H gedit /etc/issue.net
Then add the notice:
***************************************************************************
NOTICE TO USERS
This computer system is the private property of its owner, whether
individual, corporate or government. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.
Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials. Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.
****************************************************************************
If an IP address is tries to connect more than 10 times in 30 seconds, all the following attempts will fail since the connections will be DROPped. The rule is added to the firewall by running a single command in terminal:
sudo ufw limit ssh
Now we save and close the config file and restart ssh by typing in terminal:
systemctl restart ssh
Next we setup SSH keys There are two pairs of SSH keys public and private. Public keys are present in servers and private keys are present with individuals. If someone can match his private key with public key, only he/she can login. Furthermore optionally private keys can be protected by passphrase. Furthermore when the keys are generated by using 4096 bit encryption it is almost impossible to break them by brute force.
Step one - Create the RSA key pair:
Type in terminal
ssh-keygen -t rsa -b 4096
Here we use 64 bit encryption for more security
Step two - Store the keys and passphrase:
Follow the onscreen instructions, give desired location for storage of keys, reccommended to accept the default, opt for passphrase, give a strong passphrase, remember it.
The screen is something like this:
ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/demo/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/demo/.ssh/id_rsa. Your public key has been saved in /home/demo/.ssh/id_rsa.pub. The key fingerprint is: 4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 demo@a The key's randomart image is: +--[ RSA 2048]----+ | .oo. | | . o.E | | + . o | | . = = . | | = S = . | | o + = + | | . o + o . | | . o | | | +-----------------+
Step three - Copy the Public Key:
Type in terminal
ssh-copy-id user@123.45.56.78
Here 123.45.56.78 is the server IP address
In case of localhost it is
ssh-copy-id user@localmachinename
The screen is something like this
The authenticity of host '12.34.56.78 (12.34.56.78)' can't be established. RSA key fingerprint is b1:2d:33:67:ce:35:4d:5f:f3:a8:cd:c0:c4:48:86:12. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '12.34.56.78' (RSA) to the list of known hosts. user@12.34.56.78's password: Now try logging into the machine, with "ssh 'user@12.34.56.78'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
Now our installation is complete. To login we need to type in terminal:
ssh username@servername
Then when prompted for passphrase we need to provide it.
Now we to enable root login of opessh server. We first have to enable sudo password as it is disabled in Ubuntu by default.
For that, we type in terminal the following, screen will be something like this:
sudo passwd
[sudo] password for [username]: [Type your user password and press return]
Type new UNIX password: [Type the root password you want]
Retype new UNIX password: [Retype the root password you chosen before]
passwd: password updated successfully
Now we have to edit the /etc/sudoers file.
Here we use the editor called visudo It is because visudo is for the sole purpose of editing sudoes file
In ubuntu by default config files are opened by nano editor To change it type in terminal:
sudo update-alternatives --config editor
The following screen will appear:
There are 4 choices for the alternative editor (providing /usr/bin/editor). Selection Path Priority Status ------------------------------------------------------------ * 0 /bin/nano 40 auto mode 1 /bin/ed -100 manual mode 2 /bin/nano 40 manual mode 3 /usr/bin/vim.basic 30 manual mode 4 /usr/bin/vim.tiny 10 manual mode Press to keep the current choice[*], or type selection number:
Type 3 and press enter
Then type:
sudo visudo
Move to the line which reads
Defaults env_reset
Press enter
Above a new line gets created Type:
Defaults rootpw
use spacebar, not TAB
Press Esc --> : + x --> Enter
In terminal type:
gedit /etc/ssh/sshd_config
Move to the line:
PermitRootLogin password-prohibited
and change it to
PermitRootLogin yes
Save and close
Then restart SSH
service ssh restart
Then type in terminal:
ssh-copy-id root@localmachinename
Output screen may show:
The authenticity of host '12.34.56.78 (12.34.56.78)' can't be established. RSA key fingerprint is b1:2d:33:67:ce:35:4d:5f:f3:a8:cd:c0:c4:48:86:12. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '12.34.56.78' (RSA) to the list of known hosts. user@12.34.56.78's password: Now try logging into the machine, with "ssh 'user@12.34.56.78'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. Now we have granted private key access to root to login To test type: ssh root@localmachine
It will ask for passphrase. Passphrase remains the same. Give it. Now the root will be able to successfully login
Now for more security we have to add firewall Type:
app install ufw
Now start it
enable ufw
Get a list of currently running processes
ufw app list
OpenSSH will be listed there. ALow it through firewall
ufw allow OpenSSH
Restart firewall
systemctl restart ufw
Our installation is complete
rancho
- 4,136