How to install/secure openssh-server on linux & more

During this tutorial we will work with the ROOT user

Go into /etc/ssh/sshd_config

Uncomment Port and add 2222, uncomment PermitRootLogin and add no after it, ssh will be running on port 2222 and the RootLogin will be disable

INPUT

  • -A Mean append to chain, OUTPUT, INPUT or FORWARD
  • - INPUT Mean incoming connections
  • - p Mean protocol, in this case we use tcp
  • - m to load modules that is required
  • state is a module
  • - -state is a state of connections, for example (NEW), mean that a new connections is initate
  • - -dport to specify the port to open
  • - j Jumps to the specified target when a packet matches a particular rule

OUTPUT

Same as above but OUTPUT mean outcoming connections, we have to accept INTPUT and OUTPUT

You can see tcp6 is display, it is tcp over ipv6, 2222 port is open.

To be sure that our rules will be persistent if we need to restart our ssh server.

A message should pop up, if the message do not pop up i explain you how to register the rules into the good folder don’t panic.

If you do not have this message you can do this command to save the output into the good folder !

  • > Will redirect the ouput of “iptables-save” into /etc/iptables/rules.v4

We will try to connect to our ssh server localy via Putty, you can use a cmd on windows or linux, you just need a client.

Write the ip of your server, in my case it’s 192.168.1.16, remember we use the port 2222, not the 22 !

I did not specify the username to try to connect with the root user just to be sure that everthing is fine :)

To connect with the username you can use this synthax

=> username@ipaddress

Click on ‘open’

You should see this page, putty warn us because we did dont know if the server is a trusted one, but in our case we are sure because it’s on our local network, we will discuss about RSA key in a next step to secure our connection mode.

Press “YES”

So we can try to log with the ROOT user to be sure that everything is working fine, how you can see the access is denied for the ROOT user, we did a great job nah ?

Now let’s try it with the default user, in my case it’s “debian”

Everything is good !

Setup a banner

Go to the configuration folder of ssh /etc/ssh/sshd_config

Go to the end of the file and under #Banner none

Type Banner=/etc/banner.txt

This is the directory where we will create our banner.

Now we go to /etc/ and create our .txt banner file we can use this command to directly be in the directory and create our .txt file

Our .txt file is empty, let put something inside, you can put what ever you want, a disclaimer for example or funny things.

Now reload ssh service

You should see your banner now.

First we will setup and RSA key, in my case the client is on “windows”

This is particularly important if the computer is visible on the Internet (this is the goal ). Using encrypted keys for authentication is useful as you won’t need to enter a password anymore. Once the public/private key-pair authentication has been configured on the server, you can completely disable password authentication; this means that no one without an authorized key will be able to gain access.

Let’s fire up a CMD and type this command to generate the key.

The output should look like this

At this moment you have to press enter and keys key will be save in the .ssh hiden folder. You can see my path below.

Then a message ask you to enter a passphrase which is your password to unlock a given public key each time you connect. It is your choice to add a passphrase protective encryption to your key when you create it. If you prefer not to use one, simply press Enter when asked for the passphrase when creating your key pair. Be aware that if you do not passphrase protect your key, anyone gaining access to your local machine will automatically have SSH access to the remote server.

If you put a password you will have more security, but you can leave it empty beaucause the main goal here is to do not have to type a password while log into our ssh server.

Now you have this message, keys has been generated

  • The id_rsa is your private key
  • The d_rsa.pub is your public key

First we have to authorize the log in via PubKey, let change this into the /etc/ssh/sshd_config

Uncomment the “PubkeyAuthentication yes” and close the file

Now, we have to create a folder to put authorized keys in it, so we put our key inside of it, the id_rsa.pub key

The authorized_keys will be register in the .ssh folder in your home directory

We have to create a file in the .ssh folder, name it “authorized_keys

Now copy the id_rsa.pub key that was register on your windows machine, mine was in the C:\Users\myuser\.ssh : Open the id_rsa.pub key with notepad++ for example /!\The key have to be on a single line /!\

Like this :

Then past it into the authorized_keys file we created above

The file should look like this :

Close the file and reload ssh service

Remember we created the keys via cmd, so let’s open a cmd !

We can now try to connect, the ssh server will let us enter because he now our id_rsa.pub key

Go in the path where your id_rsa.pub and id_rsa keys has been registered, for me that was in C:\Users\myuser\.ssh

Type this command to connect to the ssh server :

You can see that we do not need to type a password to enter, thanks to the rsa key !

This method is quite simple to do.

Open PuttyGen or download it here https://www.puttygen.com/

Open it and click on generate :

MOOVE YOUR MOUSE !! To generate the keys randomly

Copy the rsa public key and save your private key in a folder

Paste the public key in the server file like above you can follow the same steps /home/youruser/.ssh/authorized_keys like we did before.

Open Putty

Go in SSH => Auth

Click on “Browse” and search for your private Key

Go in “Data”

Specify your auth name, in my case i’ts “debian”

Go back to session

Enter the host name and the port

Enter a session name and save it, it will be very useful because you just have to double click and you are log in to your ssh server !

And now try it

Everything is woking fine !

Secure our ssh server

We have set our ssh keys, we can now disable login via password, i think you already know the path where the file is to change it :)

Uncomment PasswordAuthentification and add no

Go in the fail2ban folder and clone it to be sure that in case of problem our conf will not be delete

We create a jail.local file

Do the same fore fail2ban.local

Change the jail.local file

You can choose different values

  • bandtime = 1d the host will be ban during one day
  • findtime = 10m the host have ten minutes to try different attack
  • maxretry = 5 the host can try to log 5 times
  • enabled = true to enable the sshd jail
  • port = 2222 to define de port
  • logpath = /var/log/auth.log to define the logs path
  • backend = %(sshd_backend)s is the monitoring engine of logs

You can now restart fail2ban.service

Check the status of the jail, if in the future you want to setup multiple services they will be display here

This is the output

The jail on the sshd service is working !

Logs files are stored in :

If you want to unban an ip :

Go on the ip address of your router, mine is 192.168.1.1

Choose :

  • Secure Shell Server
  • 2222 for ports
  • TCP
  • Name of your server (i used my computer on debian)
  • External IP choose all of them or specify one

If you face to a problem you can send me a message !

Signed Alix.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store