How to install/secure openssh-server on linux & more

Yoplux
11 min readApr 23, 2021

--

Let’s install openssh !

During this tutorial we will work with the ROOT user

root@debian:~# apt-get install openssh-server -y
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances
Lecture des informations d'état... Fait
Les paquets supplémentaires suivants seront installés :
openssh-client openssh-sftp-server
Paquets suggérés :
keychain libpam-ssh monkeysphere ssh-askpass molly-guard rssh
Les NOUVEAUX paquets suivants seront installés :
openssh-client openssh-server openssh-sftp-server
0 mis à jour, 3 nouvellement installés, 0 à enlever et 1 non mis à jour.
Il est nécessaire de prendre 0 o/1 179 ko dans les archives.
Après cette opération, 5 240 ko d'espace disque supplémentaires seront utilisés.
Préconfiguration des paquets...
Sélection du paquet openssh-client précédemment désélectionné.
(Lecture de la base de données... 140302 fichiers et répertoires déjà installés.)
Préparation du dépaquetage de .../openssh-client_1%3a7.9p1-10+deb10u2_amd64.deb ...
Dépaquetage de openssh-client (1:7.9p1-10+deb10u2) ...
Sélection du paquet openssh-sftp-server précédemment désélectionné.
Préparation du dépaquetage de .../openssh-sftp-server_1%3a7.9p1-10+deb10u2_amd64.deb ...
Dépaquetage de openssh-sftp-server (1:7.9p1-10+deb10u2) ...
Sélection du paquet openssh-server précédemment désélectionné.
Préparation du dépaquetage de .../openssh-server_1%3a7.9p1-10+deb10u2_amd64.deb ...
Dépaquetage de openssh-server (1:7.9p1-10+deb10u2) ...
Paramétrage de openssh-client (1:7.9p1-10+deb10u2) ...
Paramétrage de openssh-sftp-server (1:7.9p1-10+deb10u2) ...
Paramétrage de openssh-server (1:7.9p1-10+deb10u2) ...
Creating config file /etc/ssh/sshd_config with new version
Creating SSH2 RSA key; this may take some time ...
2048 SHA256:2VoJzyPtvWJJzN9h0q1AdNEEUHs3YeXDkkCT+u1aTaU root@debian (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:l0gl+5ceKTFEiCOYR7HMMVQrqDZe0H23Ew5fW6UuJp0 root@debian (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:EgRoWlK5PZH1keDWeuG62C8ea7U7lp4QMBEvG5OhXE8 root@debian (ED25519)
Created symlink /etc/systemd/system/sshd.service → /lib/systemd/system/ssh.service.
Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /lib/systemd/system/ssh.service.
rescue-ssh.target is a disabled or a static unit, not starting it.
Traitement des actions différées (« triggers ») pour systemd (241-7~deb10u7) ...
Traitement des actions différées (« triggers ») pour man-db (2.8.5-2) ...
Traitement des actions différées (« triggers ») pour ufw (0.36-1) ...

Enable ssh to start while debian booting

root@debian:~# systemctl enable ssh.service
Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ssh
root@debian:~#

Change port number of SSH and disable root login

Go into /etc/ssh/sshd_config

root@debian:~# nano /etc/ssh/sshd_config

Uncomment Port and add 2222, uncomment PermitRootLogin and add no after it, ssh will be running on port 2222 and the RootLogin will be disable

Restart ssh.service

root@debian:~# systemctl restart ssh.service
root@debian:~#

Open the port in the firewall of debian ( iptables ) INPUT

INPUT

iptables -A INPUT -p tcp -m state --state NEW --dport 2222 -j ACCEPT
  • -A Mean append to chain, OUTPUT, INPUT or FORWARD
  • - INPUT Mean incoming connections
  • - p Mean protocol, in this case we use tcp
  • - m to load modules that is required
  • state is a module
  • - -state is a state of connections, for example (NEW), mean that a new connections is initate
  • - -dport to specify the port to open
  • - j Jumps to the specified target when a packet matches a particular rule

Open the port in the firewall of debian ( iptables ) OUTPUT

OUTPUT

Same as above but OUTPUT mean outcoming connections, we have to accept INTPUT and OUTPUT

iptables -A OUTPUT -p tcp -m state --state NEW --dport 2222 -j ACCEPT

Display open port with netstat to see if 2222 port is open

root@debian:~# netstat -lntup
Connexions Internet actives (seulement serveurs)
Proto Recv-Q Send-Q Adresse locale Adresse distante Etat PID/Program name
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 5827/sshd
tcp6 0 0 :::2222 :::* LISTEN 5827/sshd

You can see tcp6 is display, it is tcp over ipv6, 2222 port is open.

Install iptables-persistent

To be sure that our rules will be persistent if we need to restart our ssh server.

apt-get install iptables-persistent

A message should pop up, if the message do not pop up i explain you how to register the rules into the good folder don’t panic.

If you do not have this message you can do this command to save the output into the good folder !

iptables-save > /etc/iptables/rules.v4
  • > Will redirect the ouput of “iptables-save” into /etc/iptables/rules.v4

Move to the client side to try to connect to it

We will try to connect to our ssh server localy via Putty, you can use a cmd on windows or linux, you just need a client.

Write the ip of your server, in my case it’s 192.168.1.16, remember we use the port 2222, not the 22 !

I did not specify the username to try to connect with the root user just to be sure that everthing is fine :)

To connect with the username you can use this synthax

=> username@ipaddress

Click on ‘open’

You should see this page, putty warn us because we did dont know if the server is a trusted one, but in our case we are sure because it’s on our local network, we will discuss about RSA key in a next step to secure our connection mode.

Press “YES”

So we can try to log with the ROOT user to be sure that everything is working fine, how you can see the access is denied for the ROOT user, we did a great job nah ?

Now let’s try it with the default user, in my case it’s “debian”

Everything is good !

Setup a banner

Go to the configuration folder of ssh /etc/ssh/sshd_config

Go to the end of the file and under #Banner none

Type Banner=/etc/banner.txt

This is the directory where we will create our banner.

Now we go to /etc/ and create our .txt banner file we can use this command to directly be in the directory and create our .txt file

root@debian:~# cd /etc/ && nano banner.txt

Our .txt file is empty, let put something inside, you can put what ever you want, a disclaimer for example or funny things.

Now reload ssh service

root@debian:~# systemctl reload ssh

Back on the client side !

You should see your banner now.

Secure the login method of our ssh server

First we will setup and RSA key, in my case the client is on “windows”

This is particularly important if the computer is visible on the Internet (this is the goal ). Using encrypted keys for authentication is useful as you won’t need to enter a password anymore. Once the public/private key-pair authentication has been configured on the server, you can completely disable password authentication; this means that no one without an authorized key will be able to gain access.

Let’s fire up a CMD and type this command to generate the key.

ssh-keygen -t rsa

The output should look like this

Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\myuser/.ssh/id_rsa):

At this moment you have to press enter and keys key will be save in the .ssh hiden folder. You can see my path below.

Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\myuser/.ssh/id_rsa):

Then a message ask you to enter a passphrase which is your password to unlock a given public key each time you connect. It is your choice to add a passphrase protective encryption to your key when you create it. If you prefer not to use one, simply press Enter when asked for the passphrase when creating your key pair. Be aware that if you do not passphrase protect your key, anyone gaining access to your local machine will automatically have SSH access to the remote server.

If you put a password you will have more security, but you can leave it empty beaucause the main goal here is to do not have to type a password while log into our ssh server.

Enter passphrase (empty for no passphrase):
Enter same passphrase again:

Now you have this message, keys has been generated

Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\myuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\myuser/.ssh/id_rsa.
Your public key has been saved in C:\Users\myuser/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:18DBPVY11kKvnt06puchvFAHnTWaRMNyqR7jtGrHh7g myuser@LAPTOP-4UEGVR8L
The key's randomart image is:
+---[RSA 2048]----+
| ...o*+=+|
| ..o==*++|
| o.=+o..|
| B . . |
| S = * o |
| . * o o.|
| = + + o|
| + = ++o |
| .Eo +=o. |
+----[SHA256]-----+
  • The id_rsa is your private key
  • The d_rsa.pub is your public key

BACK ON THE SSH SERVER

First we have to authorize the log in via PubKey, let change this into the /etc/ssh/sshd_config

nano /etc/ssh/sshd_config

Uncomment the “PubkeyAuthentication yes” and close the file

Now, we have to create a folder to put authorized keys in it, so we put our key inside of it, the id_rsa.pub key

The authorized_keys will be register in the .ssh folder in your home directory

We have to create a file in the .ssh folder, name it “authorized_keys

cd /home/debian/.ssh && nano authorized_keys

Now copy the id_rsa.pub key that was register on your windows machine, mine was in the C:\Users\myuser\.ssh : Open the id_rsa.pub key with notepad++ for example /!\The key have to be on a single line /!\

Like this :

Then past it into the authorized_keys file we created above

The file should look like this :

Close the file and reload ssh service

sytemctl reload ssh.service

BACK ON THE CLIENT SIDE

Remember we created the keys via cmd, so let’s open a cmd !

We can now try to connect, the ssh server will let us enter because he now our id_rsa.pub key

Go in the path where your id_rsa.pub and id_rsa keys has been registered, for me that was in C:\Users\myuser\.ssh

Type this command to connect to the ssh server :

C:\Users\myuser\.ssh>ssh debian@192.168.1.16 -p 2222

You can see that we do not need to type a password to enter, thanks to the rsa key !

Setup ssh keys with PuttyGen

This method is quite simple to do.

Open PuttyGen or download it here https://www.puttygen.com/

Open it and click on generate :

MOOVE YOUR MOUSE !! To generate the keys randomly

Copy the rsa public key and save your private key in a folder

Paste the public key in the server file like above you can follow the same steps /home/youruser/.ssh/authorized_keys like we did before.

CONNECT WITH PUTY

Open Putty

Go in SSH => Auth

Click on “Browse” and search for your private Key

Go in “Data”

Specify your auth name, in my case i’ts “debian”

Go back to session

Enter the host name and the port

Enter a session name and save it, it will be very useful because you just have to double click and you are log in to your ssh server !

And now try it

Everything is woking fine !

Secure our ssh server

We have set our ssh keys, we can now disable login via password, i think you already know the path where the file is to change it :)

Uncomment PasswordAuthentification and add no

Install Fail2Ban

apt-get install fail2ban -y

Go in the fail2ban folder and clone it to be sure that in case of problem our conf will not be delete

We create a jail.local file

cd /etc/fail2ban/ && cp jail.conf jail.local

Do the same fore fail2ban.local

cp fail2ban.conf fail2ban.local

Change the jail.local file

nano jail.local

You can choose different values

  • bandtime = 1d the host will be ban during one day
  • findtime = 10m the host have ten minutes to try different attack
  • maxretry = 5 the host can try to log 5 times
  • enabled = true to enable the sshd jail
  • port = 2222 to define de port
  • logpath = /var/log/auth.log to define the logs path
  • backend = %(sshd_backend)s is the monitoring engine of logs

You can now restart fail2ban.service

systemctl reload fail2ban.service

Check the status of the jail, if in the future you want to setup multiple services they will be display here

root@debian:/etc/fail2ban# fail2ban-client status

This is the output

root@debian:/etc/fail2ban# fail2ban-client status
|Status
|- Number of jail: 1
`- Jail list: sshd
root@debian:/etc/fail2ban#

The jail on the sshd service is working !

Logs files are stored in :

/var/log/auth.log/var/log/fail2ban.log

If you want to unban an ip :

fail2ban-client set sshd unbanip theiptunban

Open port in the router to access it over internet

Go on the ip address of your router, mine is 192.168.1.1

Choose :

  • Secure Shell Server
  • 2222 for ports
  • TCP
  • Name of your server (i used my computer on debian)
  • External IP choose all of them or specify one

If you face to a problem you can send me a message !

Signed Alix.

--

--

Yoplux
Yoplux

Written by Yoplux

Learn with Christian & Alix

No responses yet