|
|
Line 1: |
Line 1: |
| [[Category:Linux]] | | [[Category:Linux]] |
− | =Installation=
| |
− |
| |
− | By default Debian | Ubuntu doesn't include any SSH server.
| |
− | <syntaxhighlight lang="bash">
| |
− | apt-get install ssh openssh-server
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− |
| |
− |
| |
− | =SSH server configuration=
| |
− |
| |
− |
| |
− | Edit the configuration file:
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/ssh/sshd_config
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | ==X11 forwarding==
| |
− |
| |
− | In the configuration file, uncomment and set:
| |
− | <syntaxhighlight lang="bash">
| |
− | ForwardAgent yes
| |
− | ForwardX11 yes
| |
− | ForwardX11Trusted yes
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | '''Enable | Disable the forwarding:'''
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | # This server doesn’t have a XServer. Therefore do not forward graphical data.
| |
− | X11Forwarding no
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | ==Port(s) number==
| |
− |
| |
− | You can listen on multiple port. Just do the following:
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | Port 22
| |
− | Port 2200
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | Security psycho mode:
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | # The default port SSH is 22. You may want to change that port to another one so your server will be more discreet.
| |
− | # NB: if your server is hosted the provider might need access for maintenance purposes.
| |
− | Port XXXXX
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− |
| |
− | ==Banner==
| |
− |
| |
− | Source: https://help.ubuntu.com/community/StricterDefaults#SSH_Welcome_Banner
| |
− |
| |
− | > To enable login messages uncomment the following line in "/etc/ssh/sshd_config"
| |
− |
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | Banner /etc/issue.net
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | Then, create / update the "/etc/issue.net" file:
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/issue.net
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− |
| |
− | The following example is taken from the Advanced OpenSSH page:
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | ***************************************************************************
| |
− | NOTICE TO USERS
| |
− |
| |
− |
| |
− | This computer system is the private property of its owner, whether
| |
− | individual, corporate or government. It is for authorized use only.
| |
− | Users (authorized or unauthorized) have no explicit or implicit
| |
− | expectation of privacy.
| |
− |
| |
− | Any or all uses of this system and all files on this system may be
| |
− | intercepted, monitored, recorded, copied, audited, inspected, and
| |
− | disclosed to your employer, to authorized site, government, and law
| |
− | enforcement personnel, as well as authorized officials of government
| |
− | agencies, both domestic and foreign.
| |
− |
| |
− | By using this system, the user consents to such interception, monitoring,
| |
− | recording, copying, auditing, inspection, and disclosure at the
| |
− | discretion of such personnel or officials. Unauthorized or improper use
| |
− | of this system may result in civil and criminal penalties and
| |
− | administrative or disciplinary action, as appropriate. By continuing to
| |
− | use this system you indicate your awareness of and consent to these terms
| |
− | and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
| |
− | conditions stated in this warning.
| |
− |
| |
− | ****************************************************************************
| |
− | </syntaxhighlight>
| |
− |
| |
− | Once this is in place, restart sshd and all users will see this warning before they get the login prompt. This will obviously not dissuade automated SSH attacks, and will potentially worsen DoS effects, but it may tip off a human attacker that the system is being looked after closely, and that they should move on to some other system on the network
| |
− |
| |
− |
| |
− | ==Restart SSH server==
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | /etc/init.d/ssh restart
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− |
| |
− |
| |
− | =Security=
| |
− |
| |
− |
| |
− | ==Firewall==
| |
− |
| |
− | See [[Firewall INPUT filters#SSH]]
| |
− |
| |
− |
| |
− |
| |
− | ==Fail2ban==
| |
− |
| |
− | see [[Fail2ban#SSH_configuration]]
| |
− |
| |
− |
| |
− |
| |
| | | |
| | | |
Line 179: |
Line 44: |
| /etc/init.d/ssh restart | | /etc/init.d/ssh restart |
| </syntaxhighlight> | | </syntaxhighlight> |
− |
| |
− |
| |
− |
| |
− |
| |
− |
| |
− |
| |
− |
| |
− | =References=
| |
− |
| |
− |
| |
− | Source:
| |
− | * Public / private key theory: http://en.wikipedia.org/wiki/Public_Key_Cryptography
| |
− | * http://www.howtoforge.com/ssh_key_based_logins_putty
| |