Difference between revisions of "SSH server setup"

(Created page with "Category:Linux =Installation= By default Debian | Ubuntu doesn't include any SSH server. <syntaxhighlight lang="bash"> apt-get install ssh openssh-server </syntaxhighligh...")
 
 
Line 132: Line 132:
  
 
see [[Fail2ban#SSH_configuration]]
 
see [[Fail2ban#SSH_configuration]]
 
 
 
 
 
=SSH server configuration - Authentication by Linux user login / password=
 
 
==Principle==
 
 
This is the default authentication system.
 
 
 
Each user that has a '''local account on the server''' and member is allowed to access the SSH server with its login / password.
 
 
[[File:SSH server default auth.png|none|SSH default authentication system]]
 
 
 
 
==Configuration changes==
 
 
<syntaxhighlight lang="bash">
 
vim /etc/ssh/sshd_config
 
</syntaxhighlight>
 
 
 
===Protocol and password enforcement===
 
 
<syntaxhighlight lang="bash">
 
Protocol 2 # only use SSH v2
 
PermitRootLogin no # Avoid root connections
 
PermitEmptyPassword no         # Forbidden user with empty passwords
 
</syntaxhighlight>
 
 
 
===Login time===
 
 
<syntaxhighlight lang="bash">
 
# Time to log
 
LoginGraceTime 30
 
</syntaxhighlight>
 
 
 
==Restart SSH server==
 
 
<syntaxhighlight lang="bash">
 
/etc/init.d/ssh restart
 
</syntaxhighlight>
 
 
 
 
 
 
 
 
=References=
 
 
 
Source:
 
* Public / private key theory: http://en.wikipedia.org/wiki/Public_Key_Cryptography
 
* http://www.howtoforge.com/ssh_key_based_logins_putty
 

Latest revision as of 14:25, 8 August 2014

Installation

By default Debian | Ubuntu doesn't include any SSH server.

apt-get install ssh openssh-server



SSH server configuration

Edit the configuration file:

vim /etc/ssh/sshd_config


X11 forwarding

In the configuration file, uncomment and set:

ForwardAgent yes
ForwardX11 yes
ForwardX11Trusted yes


Enable | Disable the forwarding:

# This server doesn’t have a XServer. Therefore do not forward graphical data.
X11Forwarding no


Port(s) number

You can listen on multiple port. Just do the following:

Port 22
Port 2200


Security psycho mode:

# The default port SSH is 22. You may want to change that port to another one so your server will be more discreet.
# NB: if your server is hosted the provider might need access for maintenance purposes.
Port XXXXX


Source: https://help.ubuntu.com/community/StricterDefaults#SSH_Welcome_Banner

> To enable login messages uncomment the following line in "/etc/ssh/sshd_config"


Banner /etc/issue.net


Then, create / update the "/etc/issue.net" file:

vim /etc/issue.net


The following example is taken from the Advanced OpenSSH page:

***************************************************************************
                            NOTICE TO USERS


This computer system is the private property of its owner, whether
individual, corporate or government.  It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.

Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.

By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials.  Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.

****************************************************************************

Once this is in place, restart sshd and all users will see this warning before they get the login prompt. This will obviously not dissuade automated SSH attacks, and will potentially worsen DoS effects, but it may tip off a human attacker that the system is being looked after closely, and that they should move on to some other system on the network


Restart SSH server

/etc/init.d/ssh restart



Security

Firewall

See Firewall INPUT filters#SSH


Fail2ban

see Fail2ban#SSH_configuration