Install and Configure SSH Server

Thumb

Secure Shell (SSH) is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network.
 
This will show you how easy it is to install ssh server and configure it.


Install and Configure SSH Server

Install SSH Server

$ sudo apt-get install openssh-server

Configuring SSH Server

This is default main ssh server configuration file.

$ sudo nano/etc/ssh/sshd_config

Disable Remote Root Logins

Doing this, you won’t be able to login as root remotely.
This is very useful feature in ssh server for security.

PermitRootLogin no
# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no

Disable X11 Forwarding

X11Forwarding no
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

Change Port (for security)

Changing port from default 22 to something else. Its recommended for any one who is running ssh server on remote computer for security reasons.

Port 33
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 33
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

Change SSH Server Login Banner

$ sudo nano /etc/ssh/sshd-banner

Type anything you like in sshd-banner file. Here is a good example that you can use.

|------------------------------------------------------------------------|
| This system is for the use of authorised users only.                   |
| Individuals using this computer system without authority, or in        |
| excess of their authority, are subject to having all of their          |
| activities on this system monitored and recorded by system personnel.  |
|                                                                        |
| In the course of monitoring individuals improperly using this          |
| system, or in the course of system maintenance,the activities          |
| of authorised users may also be monitored.                             |
|                                                                        |
| Anyone using this system expressly consents to such monitoring         |
| and is advised that if such monitoring reveals possible                |
| evidence of criminal activity, system personnel may provide the        |
| evidence of such monitoring to law enforcement officials.              |
|------------------------------------------------------------------------|

You can also use smaller version of this message.

#########################################################################
# WARNING ###############################################################
# Unauthorised access to this system is absolutely forbidden and might  #
# be prosecuted by law. By accessing this system, you agree that your   #
# actions may be monitored if unauthorised usage is suspected.          #
#########################################################################

Add following line any where in /etc/ssh/sshd_config

Banner /etc/ssh/sshd-banner
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
Banner /etc/ssh/sshd-banner
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will

Restart SSH Server

You can use init.d or new easier “service” command.

$ sudo /etc/init.d/ssh restart
$ service ssh restart
$ sudo /etc/init.d/ssh restart
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service ssh restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop ssh ; start ssh. The restart(8) utility is also available.
ssh stop/waiting
ssh start/running, process 7288

Use SSH

Connecting to remote server with non-default port 33.

$ ssh user@domain.com -p 33