SSH, an abbreviation of Secure Shell, is a protocol used to secure communication between two devices in an insecure network channel. It supports a wide range of encryption technology including custom made ones. <\/p>\n\n\n\n
SSH server is an application which uses SSH protocol to establish connection from remote clients. There are different options available for ssh server but OpenSSH, an abbreviation for OpenBSH Secure Shell which was developed by OpenBSD developers and distributed under open source license, is the most popular and widely used ssh server in linux.<\/p>\n\n\n\n
One should note that after successful installation of SSH server, there is two main config files under the main ssh config directory, viz; ssh_config and sshd_config. The two files represent client and server setting respectively.<\/p>\n\n\n\n
sshd_config: Any settings defined inside this file is used by the ssh server running in the host as default. For example, if port 2233 is defined inside the file as non-default port, the ssh server will only listen in the defined port for the connection from client<\/p>\n\n\n\n
ssh_config: Entries in this file is used as defaults by ssh client for any remote connection. For example, if port 2211 is defined to be used for ssh in this file, any new connection to remote ssh server will be initiated on 2211 port by default.<\/p>\n\n\n\n
There are a bunch of measures one can take for hardening SSH server security. <\/p>\n\n\n\n
It is no surprise that an ssh server accepting connection in wild i.e. the internet is hit by a number of uninvited guests, human or bot. As a result, allowing a omnipresent linux superuser account root<\/em> access is just a one password crack away disaster waiting to happen. This can be prevented by disabling root use access to ssh server and using non-default user to login and later switch to root. This can be done by setting following parameter in ssh config file:<\/p>\n\n\n\n Similar to default user, ssh server listens to default port 22 unless defined otherwise. Anyone trying to hit an ssh server will attempt their first attack on default port 22. So, it is a good practice to use any non-default port for ssh connection. This can be defined using the following parameter:<\/p>\n\n\n\n Using empty password should be completely discouraged for obvious reason and this can be done by setting following value:<\/p>\n\n\n\n This is a robust method to secure an ssh server. By defining this parameter, all connection request from IPs except the ones defined is dropped by the ssh server. This can be implemented by defining value as follows:<\/p>\n\n\n\n SSH supports login using public-private key authentication method. Following steps can be used to setup ssh keys for connection:<\/p>\n\n\n\n On client machine, run:<\/p>\n\n\n\n After running the command, the tool will ask for the location to save the keys which will be stored at ~\/.ssh directory. This will generate private key, id_rsa, and public key, id_rsa.pub. It will also ask if you want to use a passphrase for authentication and if provided will ask for the passphrase on every login attempt.<\/p>\n\n\n\n If you list the files in your location, you will find the two keys:<\/p>\n\n\n\n After the successful key generation, the public key should be copied to the ssh server’s key directory, usually .ssh as authorized_keys<\/p>\n\n\n\n This can be also be done using the utility SSH-Copy-ID <\/p>\n\n\n\n After this, try login into ssh server and you will be able to login without a password or using passphrase if you used one.<\/p>\n\n\n\n Since you don’t need to enter password anymore, disable the password authentication so that you can login using just the keys or passphrase in future by setting following value in ssh configuration:<\/p>\n\n\n\n Finally, restart the ssh server after making changes to the configuration files so that the new settings will be applied.<\/p>\n","protected":false},"excerpt":{"rendered":" SSH, an abbreviation of Secure Shell, is a protocol used to secure communication between two devices in an insecure network channel. It supports a wide range of encryption technology including custom made ones. SSH server is an application which uses SSH protocol to establish connection from remote clients. There are different options available for ssh […]<\/p>\n PermitRootLogin no<\/pre>\n\n\n\n
Use non-default port<\/h5>\n\n\n\n
Port 2233<\/pre>\n\n\n\n
Disable empty password<\/h5>\n\n\n\n
PermitEmptyPasswords no<\/pre>\n\n\n\n
Enforce IP based access<\/h5>\n\n\n\n
ListenAddress 1.2.3.4<\/pre>\n\n\n\n
Use passwordless login<\/h5>\n\n\n\n
$ ssh-keygen\nGenerating public\/private rsa key pair. Enter file in which to save the key (\/home\/<username>\/.ssh\/id_rsa):<\/pre>\n\n\n\n
Enter passphrase (empty for no passphrase):\nEnter same passphrase again:\nYour identification has been saved in \/home\/infokonn\/.ssh\/id_rsa.\nYour public key has been saved in \/home\/infokonn\/.ssh\/id_rsa.pub.\nThe key fingerprint is:\nSHA256:8OVEF6bnTZ5XGRD9i1efr4kNxVSmHJju6Q7oWbURZlQ infokonn@helpdesk.infokonn.com\nThe key's randomart image is:\n+---[RSA 2048]----+\n| . =BE.o|\n| . =o. *o|\n| . +.= =.o|\n| o + =.B .+|\n| S ..+.B *|\n| . .o= =.|\n| . o.o . .|\n| . o ..+ ..|\n| o .o +. |\n+----[SHA256]-----+<\/pre>\n\n\n\n
$ ls .ssh
id_rsa id_rsa.pub<\/pre>\n\n\n\nCopy public key to ssh server<\/strong><\/h6>\n\n\n\n
$ scp ~\/.ssh\/id_rsa.pub user@ssh-server:~\/.ssh\/authorized_keys<\/pre>\n\n\n\n
$ ssh-copy-id user@ssh-server<\/pre>\n\n\n\n
PasswordAuthentication no<\/pre>\n\n\n\n