Running an openssh server and securing it
SSH (Secure Shell) is a network protocol that allows remote accsess to Unix/Linux/Mac machines. If you know your way around the CLI in Linux than being able to access a machine remotely becomes very handy as you can do anything via ssh that you could do directly connected to the machine. That is where openssh comes in. Every Linux machine is capable of being an ssh server (which means that it accepts connections), but not every Linux machine has it installed by default. The only difference between the desktop and server version of Ubuntu is that the Desktop installs the gui by default and excludes certain networking packages (like ssh) and the server does the exact opposite based upon assumed roles. So if you installed the desktop version of Ubuntu you simply need to open the terminal and type: sudo aptitude install openssh-server.
Once you have done that everything is set. The machine will now accept remote connections. To test it out you can type ssh localhost:
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 62:e5:19:95:18:de:c1:88:83:c2:32:7d:60:5c:10:38.
Are you sure you want to continue connecting (yes/no)?
SSH is obviously a secure protocol, but it uses keybased authentication to achieve its security. You will get this warning only the first time logging into the machine (however it is machine specific so if you use multiple machines you will get the same message). You simply want to say yes. What this will do is add the key to your ~/.ssh/known_hosts (remember ~ stands for your home directory /home/username). If this machine were ever reinstalled the key would change on the server. Your client machine will give you an error stating that the keys don’t match and refuse to connect you to the server. This is a desired action because it is possible for someone to try and spoof the ssh server. A successful spoof will get all of your information rendering all of the security useless. If you know nothing has changed on the server and you get this error than don’t log on (someone is trying something malicious). If you just reinstalled the os or uninstalled openssh-server and reinstalled than the keys are different and you will have to flush the entries in ~/.ssh/known_hosts. In a later addition to the Command Line Primer I will go through how to edit files, but for now you would type:
The file usually will have the host name and the key following it so you just delete the line save the file and try ssh again.
Now, obviously, you want to connect to the machine remotely. Most home setups have a modem of some sort and a router, could be wireless that all of your machines connect to. If that is the case than you will have to setup your router to allow ssh traffic through to your ssh machine. What the router does is take the public IP address, given to you by the cable or DSL company, and allows multiple machines to connect out through the one IP address. It does this by assigning private IP address (usually 192.168.1.x). In my house I have a Netgear router and I can assign static IP addresses to machines. So for my ssh server I give it an IP of 192.168.1.3, and I configured incoming ports to forward ssh port 22 (the port that ssh uses) to 192.168.1.3. This is pretty standard stuff with most routers. Check your manuals to see how your router sets this up. The final thing you need is to setup a DNS entry. Most routers support DynDNS which helps you automate the process keeping the DNS pointing to the right IP address. I usually pick hostname.homelinux.net. Once all of that is setup if it is working correctly you should be able to connect via ssh to home machine.
Note that since the host name is different you will get the warning about accepting the host key. That should be fine, the only time you should worry is after you accept the key and a different one shows up.
You can even connect via Windows. Two programs Putty and WinSCP. Putty logs in via ssh and gives you the CLI, WinSCP graphically represents the folders on your Linux machine and gives you secure way to transfer files between the two machines.
I’ll have much more to write about SSH in future posts. SSH is very powerful and useful.
Now the final part is securing your server. SSH is well known and can be hacked if you aren’t careful, just like any protocol can be hacked. There are a few very simple things that you can do to protect yourself.
1. Use secure passwords. Make sure you use upper and lower case, numbers, special characters (@#$%) and that your password is 8 characters or more. Brute force attacks take time and the difference between 7 and 8 characters could be years of computational cycles to hack. If your password is a dictionary word or less than 4 characters long it will take days or weeks to hack.
2. Do not use default users. If you install mysql or postgres you will probably want to use different usernames. Ubuntu by default doesn’t have a root account, you’ll want to keep it this way.
3. Keep your system up-to-date. Just like Windows has security patches so does Linux. Ubuntu will remind you of this if you are in Graphical mode. Make sure you update.
Now I was reminded of security today when I checked my auth logs to discover that I was being pounded by failed SSH attempts to connect to my machine. It was a little worrisome as my machine had only be online for 12 hours and I already had thousands of attempts. I discovered a great tool that should help fix the problem automatically for me. DenyHosts is a great tool to automatically deny hosts with more than 5 failed login attempts. Simple install is sudo aptitude install denyhosts. The default configuration works perfectly, but if you want to edit the config you can do so at /etc/denyhosts.conf.
Tomorrow I’ll give you some neet tricks you can do with SSH.