Let’s install openssh !
During this tutorial we will work with the ROOT user
root@debian:~# apt-get install openssh-server -y
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances
Lecture des informations d'état... Fait
Les paquets supplémentaires suivants seront installés :
openssh-client openssh-sftp-server
Paquets suggérés :
keychain libpam-ssh monkeysphere ssh-askpass molly-guard rssh
Les NOUVEAUX paquets suivants seront installés :
openssh-client openssh-server openssh-sftp-server
0 mis à jour, 3 nouvellement installés, 0 à enlever et 1 non mis à jour.
Il est nécessaire de prendre 0 o/1 179 ko dans les archives.
Après cette opération, 5 240 ko d'espace disque supplémentaires seront utilisés.
Préconfiguration des paquets...
Sélection du paquet openssh-client précédemment désélectionné.
(Lecture de la base de données... 140302 fichiers et répertoires déjà installés.)
Préparation du dépaquetage de .../openssh-client_1%3a7.9p1-10+deb10u2_amd64.deb ...
Dépaquetage de openssh-client (1:7.9p1-10+deb10u2) ...
Sélection du paquet openssh-sftp-server précédemment désélectionné.
Préparation du dépaquetage de .../openssh-sftp-server_1%3a7.9p1-10+deb10u2_amd64.deb ...
Dépaquetage de openssh-sftp-server (1:7.9p1-10+deb10u2) ...
Sélection du paquet openssh-server précédemment désélectionné.
Préparation du dépaquetage de .../openssh-server_1%3a7.9p1-10+deb10u2_amd64.deb ...
Dépaquetage de openssh-server (1:7.9p1-10+deb10u2) ...
Paramétrage de openssh-client (1:7.9p1-10+deb10u2) ...
Paramétrage de openssh-sftp-server (1:7.9p1-10+deb10u2) ...
Paramétrage de openssh-server (1:7.9p1-10+deb10u2) ...Creating config file /etc/ssh/sshd_config with new version
Creating SSH2 RSA key; this may take some time ...
2048 SHA256:2VoJzyPtvWJJzN9h0q1AdNEEUHs3YeXDkkCT+u1aTaU root@debian (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:l0gl+5ceKTFEiCOYR7HMMVQrqDZe0H23Ew5fW6UuJp0 root@debian (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:EgRoWlK5PZH1keDWeuG62C8ea7U7lp4QMBEvG5OhXE8 root@debian (ED25519)
Created symlink /etc/systemd/system/sshd.service → /lib/systemd/system/ssh.service.
Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /lib/systemd/system/ssh.service.
rescue-ssh.target is a disabled or a static unit, not starting it.
Traitement des actions différées (« triggers ») pour systemd (241-7~deb10u7) ...
Traitement des actions différées (« triggers ») pour man-db (2.8.5-2) ...
Traitement des actions différées (« triggers ») pour ufw (0.36-1) ...
Enable ssh to start while debian booting
root@debian:~# systemctl enable ssh.service
Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ssh
root@debian:~#
Change port number of SSH and disable root login
Go into /etc/ssh/sshd_config
root@debian:~# nano /etc/ssh/sshd_config
Uncomment Port and add 2222, uncomment PermitRootLogin and add no after it, ssh will be running on port 2222 and the RootLogin will be disable
Restart ssh.service
root@debian:~# systemctl restart ssh.service
root@debian:~#
Open the port in the firewall of debian ( iptables ) INPUT
INPUT
iptables -A INPUT -p tcp -m state --state NEW --dport 2222 -j ACCEPT
- -A Mean append to chain, OUTPUT, INPUT or FORWARD
- - INPUT Mean incoming connections
- - p Mean protocol, in this case we use tcp
- - m to load modules that is required
- state is a module
- - -state is a state of connections, for example (NEW), mean that a new connections is initate
- - -dport to specify the port to open
- - j Jumps to the specified target when a packet matches a particular rule
Open the port in the firewall of debian ( iptables ) OUTPUT
OUTPUT
Same as above but OUTPUT mean outcoming connections, we have to accept INTPUT and OUTPUT
iptables -A OUTPUT -p tcp -m state --state NEW --dport 2222 -j ACCEPT
Display open port with netstat to see if 2222 port is open
root@debian:~# netstat -lntup
Connexions Internet actives (seulement serveurs)
Proto Recv-Q Send-Q Adresse locale Adresse distante Etat PID/Program name
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 5827/sshd
tcp6 0 0 :::2222 :::* LISTEN 5827/sshd
You can see tcp6 is display, it is tcp over ipv6, 2222 port is open.
Install iptables-persistent
To be sure that our rules will be persistent if we need to restart our ssh server.
apt-get install iptables-persistent
A message should pop up, if the message do not pop up i explain you how to register the rules into the good folder don’t panic.
If you do not have this message you can do this command to save the output into the good folder !
iptables-save > /etc/iptables/rules.v4
- > Will redirect the ouput of “iptables-save” into /etc/iptables/rules.v4
Move to the client side to try to connect to it
We will try to connect to our ssh server localy via Putty, you can use a cmd on windows or linux, you just need a client.
Write the ip of your server, in my case it’s 192.168.1.16, remember we use the port 2222, not the 22 !
I did not specify the username to try to connect with the root user just to be sure that everthing is fine :)
To connect with the username you can use this synthax
=> username@ipaddress
Click on ‘open’
You should see this page, putty warn us because we did dont know if the server is a trusted one, but in our case we are sure because it’s on our local network, we will discuss about RSA key in a next step to secure our connection mode.
Press “YES”
So we can try to log with the ROOT user to be sure that everything is working fine, how you can see the access is denied for the ROOT user, we did a great job nah ?
Now let’s try it with the default user, in my case it’s “debian”
Everything is good !
Setup a banner
Go to the configuration folder of ssh /etc/ssh/sshd_config
Go to the end of the file and under #Banner none
Type Banner=/etc/banner.txt
This is the directory where we will create our banner.
Now we go to /etc/ and create our .txt banner file we can use this command to directly be in the directory and create our .txt file
root@debian:~# cd /etc/ && nano banner.txt
Our .txt file is empty, let put something inside, you can put what ever you want, a disclaimer for example or funny things.
Now reload ssh service
root@debian:~# systemctl reload ssh
Back on the client side !
You should see your banner now.
Secure the login method of our ssh server
First we will setup and RSA key, in my case the client is on “windows”
This is particularly important if the computer is visible on the Internet (this is the goal ). Using encrypted keys for authentication is useful as you won’t need to enter a password anymore. Once the public/private key-pair authentication has been configured on the server, you can completely disable password authentication; this means that no one without an authorized key will be able to gain access.
Let’s fire up a CMD and type this command to generate the key.
ssh-keygen -t rsa
The output should look like this
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\myuser/.ssh/id_rsa):
At this moment you have to press enter and keys key will be save in the .ssh hiden folder. You can see my path below.
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\myuser/.ssh/id_rsa):
Then a message ask you to enter a passphrase which is your password to unlock a given public key each time you connect. It is your choice to add a passphrase protective encryption to your key when you create it. If you prefer not to use one, simply press Enter when asked for the passphrase when creating your key pair. Be aware that if you do not passphrase protect your key, anyone gaining access to your local machine will automatically have SSH access to the remote server.
If you put a password you will have more security, but you can leave it empty beaucause the main goal here is to do not have to type a password while log into our ssh server.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Now you have this message, keys has been generated
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\myuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\myuser/.ssh/id_rsa.
Your public key has been saved in C:\Users\myuser/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:18DBPVY11kKvnt06puchvFAHnTWaRMNyqR7jtGrHh7g myuser@LAPTOP-4UEGVR8L
The key's randomart image is:
+---[RSA 2048]----+
| ...o*+=+|
| ..o==*++|
| o.=+o..|
| B . . |
| S = * o |
| . * o o.|
| = + + o|
| + = ++o |
| .Eo +=o. |
+----[SHA256]-----+
- The id_rsa is your private key
- The d_rsa.pub is your public key
BACK ON THE SSH SERVER
First we have to authorize the log in via PubKey, let change this into the /etc/ssh/sshd_config
nano /etc/ssh/sshd_config
Uncomment the “PubkeyAuthentication yes” and close the file
Now, we have to create a folder to put authorized keys in it, so we put our key inside of it, the id_rsa.pub key
The authorized_keys will be register in the .ssh folder in your home directory
We have to create a file in the .ssh folder, name it “authorized_keys”
cd /home/debian/.ssh && nano authorized_keys
Now copy the id_rsa.pub key that was register on your windows machine, mine was in the C:\Users\myuser\.ssh : Open the id_rsa.pub key with notepad++ for example /!\The key have to be on a single line /!\
Like this :
Then past it into the authorized_keys file we created above
The file should look like this :
Close the file and reload ssh service
sytemctl reload ssh.service
BACK ON THE CLIENT SIDE
Remember we created the keys via cmd, so let’s open a cmd !
We can now try to connect, the ssh server will let us enter because he now our id_rsa.pub key
Go in the path where your id_rsa.pub and id_rsa keys has been registered, for me that was in C:\Users\myuser\.ssh
Type this command to connect to the ssh server :
C:\Users\myuser\.ssh>ssh debian@192.168.1.16 -p 2222
You can see that we do not need to type a password to enter, thanks to the rsa key !
Setup ssh keys with PuttyGen
This method is quite simple to do.
Open PuttyGen or download it here https://www.puttygen.com/
Open it and click on generate :
MOOVE YOUR MOUSE !! To generate the keys randomly
Copy the rsa public key and save your private key in a folder
Paste the public key in the server file like above you can follow the same steps /home/youruser/.ssh/authorized_keys like we did before.
CONNECT WITH PUTY
Open Putty
Go in SSH => Auth
Click on “Browse” and search for your private Key
Go in “Data”
Specify your auth name, in my case i’ts “debian”
Go back to session
Enter the host name and the port
Enter a session name and save it, it will be very useful because you just have to double click and you are log in to your ssh server !
And now try it
Everything is woking fine !
Secure our ssh server
We have set our ssh keys, we can now disable login via password, i think you already know the path where the file is to change it :)
Uncomment PasswordAuthentification and add no
Install Fail2Ban
apt-get install fail2ban -y
Go in the fail2ban folder and clone it to be sure that in case of problem our conf will not be delete
We create a jail.local file
cd /etc/fail2ban/ && cp jail.conf jail.local
Do the same fore fail2ban.local
cp fail2ban.conf fail2ban.local
Change the jail.local file
nano jail.local
You can choose different values
- bandtime = 1d the host will be ban during one day
- findtime = 10m the host have ten minutes to try different attack
- maxretry = 5 the host can try to log 5 times
- enabled = true to enable the sshd jail
- port = 2222 to define de port
- logpath = /var/log/auth.log to define the logs path
- backend = %(sshd_backend)s is the monitoring engine of logs
You can now restart fail2ban.service
systemctl reload fail2ban.service
Check the status of the jail, if in the future you want to setup multiple services they will be display here
root@debian:/etc/fail2ban# fail2ban-client status
This is the output
root@debian:/etc/fail2ban# fail2ban-client status
|Status
|- Number of jail: 1
`- Jail list: sshd
root@debian:/etc/fail2ban#
The jail on the sshd service is working !
Logs files are stored in :
/var/log/auth.log/var/log/fail2ban.log
If you want to unban an ip :
fail2ban-client set sshd unbanip theiptunban
Open port in the router to access it over internet
Go on the ip address of your router, mine is 192.168.1.1
Choose :
- Secure Shell Server
- 2222 for ports
- TCP
- Name of your server (i used my computer on debian)
- External IP choose all of them or specify one
If you face to a problem you can send me a message !
Signed Alix.