<

Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Secure Shell(SSH) - Tips and Tricks

Published on
10,215 Points
3,915 Views
3 Endorsements
Last Modified:
LinuxGuru
Linux Server Admin with 9+ years experience in Linux Server Administration

SSH (Secure Shell) - Tips and Tricks


As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sends information as plain text through the network. While using SSH, the entire session, including password transmission, is encrypted. Using SSH, we can access other systems remotely, execute commands, transfer/move files etc. SSH uses two major protocols. They are SSH1 or SSH-1 and SSH2 or SSH-2. Comparing both protocols, SSH-2 is more secure. SSH is available for Windows, Unix, Macintosh etc. In short SSH, is a powerful tool, and there are lots of possibilities. Here are some awesome tips and tricks on how to use SSH for daily administration duties.

Before we start let me brief some basic things regarding SSH.

To access a remote system using SSH, we need the following details.


1.A SSH client
2.Remote servername/IP
3.SSH Port number (By default SSH use port number as 22)
4.Username in remote server
5.Password of the user


If you are using a Unix/Linux machine, you can use Terminal as SSH client. Execute the following command in terminal section to access the remote machine using SSH.

ssh username@remoteservername/ip

eg:
ssh root@10.10.10.111

Open in new window


This will prompt for password. Enter the password and you are in. For remote servers having custom ssh port, you need to mention the port number in the command line.

ssh username@remoteservername/ip -p portnumber

eg:
ssh root@10.10.10.111 -p 1032 

Open in new window


If you are using some other Operating system, you can use a SSH client like putty. Putty can be downloaded from the following url.

Putty Download

Now moving to SSH Server side:


Default Configuration file of SSH = /etc/ssh/sshd_config

Default Port Number = 22

SSH Start/Stop/Restart = /etc/rc.d/init.d/sshd or /etc/init.d/ssh (start/stop/restart)

If we are making any changes to sshd_config, we need to restart the ssh service for changes to take effect.

Moving to the configuration part, there are a lots of directives in the sshd_config which is the main SSH configuration file. Lets discuss one by one.

1. Change SSH port number (Port)


As mentioned above, SSH runs on default port number 22. You will be able to find the following entry in your SSH configuration file for the SSH port number.

Port 22 

Open in new window


To change port number just replace 22 with the required port number. Its always good to use a number higher than 1024 because by default port scanners will not scan for high port numbers.

Port 1033

Open in new window


Restart sshd using

/etc/rc.d/init.d/sshd restart

Open in new window


Also make sure to open the port in the firewall. If you are using iptables you can use the following command to open a port number.

iptables -I INPUT -p tcp --dport 1033 -j ACCEPT

Open in new window


/etc/rc.d/init.d/iptables save

Open in new window


Check if its open using the following command.

iptables -nL | grep 1033

Open in new window


2. SSH protocol (Protocol)


You can see the SSH protocol mentioned as below in your configuration file.

Protocol 2,1

Open in new window


Its good to set the protocol to 2. As discussed above, SSH-2 protocol is more secure. Change the above line to

Protocol 2

Open in new window


Restart sshd.

3. Permit Root Login (PermitRootLogin)


Using this directive you can enable/disable root login to server. Allowing direct root login through SSH is a security risk. So I would recommend you to disable root logins. Just find the following line to disable root login.

Change

PermitRootLogin yes

Open in new window


to

PermitRootLogin no

Open in new window


Restart sshd.

4. Login Time Limit (LoginGraceTime)


This option sets a time limit for the user to authenticate. If this time exceeds and the user has not yet authenticated, the server closes the connection from that user. Its better to leave the option to the default value. You can change it if required.

LoginGraceTime 2m

Open in new window


5. Maximum login attempts (MaxAuthTries)


This directive will set the maximum login attempts allowed per connection.

MaxAuthTries 6

Open in new window


Reduce the number for security reasons.

6. Key authentication (PubkeyAuthentication)


Enabling key based authentication means, you can access the server only using your private key. You need to generate a key pair and add the private key to your remote machine and add the public key to the server so that the server can be accessed using the keys. Un-comment the following lines if you wish to activate key based authentication.

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
RSAAuthentication yes
PasswordAuthentication no

Open in new window


Restart sshd.

When we are using "PasswordAuthentication no", any person who tries to connect to your SSH service and doesn't have a public key on the server, will be rejected without even seeing the login prompt.

Refer the following article for details regarding key based authentication.

SSH Access Using Public Key

Now we can check some SSH security tips & tricks

Creating custom Banner for SSH:


If you wish to display some message/warning/announcements for the users while logging into the server via ssh, just edit the following file and include your message.

vi /etc/motd

Open in new window


You can add a message like this.

* This is a my Private Server. You are not supposed to be here.*

Open in new window


You can also place the banner in some location like /home/user/bannet.txt and mention the path in your ssh configuration file.

Find the following directive and mention the path.

Banner /home/user/bannet.txt

Open in new window


Restart sshd.

You can edit the file named /etc/issue and include any message which will be displayed before the login prompt.

SSH Tunneling:


SSH tunneling is an awesome method where you can tunnel all the traffic from your local machine to a remote machine. SSH tunneling consists of an encrypted tunnel created through SSH protocol. This method is helpful when you are behind some firewalls. You can easily overcome any restrictions due to firewall using tunneling.

Refer the following article for more details regarding tunneling.

SSH Tunneling

Creating a X(Graphical) session over a ssh tunnel:


With this option you can run application/software in GUI mode through SSH. You need to enable the following line in your ssh configuration file to accomplish this.

X11Forwarding yes

Open in new window


Restart sshd.

Now on client end, run the following command to access the server.

ssh -X root@10.10.10.111

Open in new window


You can run a sample program like firefox or kate using following commands.

firefox

Just wait for some time and you will see firefox browser on client screen. Sometimes it will throw a error like "Error: no display specified". You need to set display using the following command.

export DISPLAY=IPaddressofmachine:0.0

eg:
export DISPLAY=10.10.10.111:0.0

Open in new window


Now run firefox and it will work.

TCP wrappers:


You can mention which hosts on a network to be able to connect to SSH service by utilizing two simple files.

1. /etc/hosts.allow
2. /etc/hosts.deny

To block all from SSH service add the following entry in /etc/hosts.deny

sshd: ALL 

Open in new window


No need to do anything else. Just adding the above line will reject everyone from accessing the server via SSH.

If you wish to allow only some person, you can add them to the /etc/hosts.allow

sshd: 10.10.10.111

Open in new window


Now all except 10.10.10.111 is blocked from using SSH.

You can also mention the ip ranges.

SCP (Secure Copy)


SCP is a file copying/transferring tool  through SSH that’s included with Openssh package.  You should use the following command if you wish to copy/transfer files between machines running SSH.

scp source destination (General Syntax)

eg:
scp /home/user/myfile  root@10.10.10.111:/home/user2

Open in new window


Above command will copy the myfile from your machine to the /home/user2 of remote machine.

To copy a folder you can use the following command.

scp –r /home/user/myfolder roor@10.10.10.111:/home/user2

Open in new window


This will copy the myfolder directory from your machine to the /home/user2 of remote machine.

Editing files on a Remote machine using SCP.

You can edit files in remote machine using the simple vi command and scp. Here you go.

vi scp://location to file in remote machine

eg:
vi scp://root@10.10.10.111//etc/my.cnf 

Open in new window


Search Files on remote Machine


You can easily search files on a remote machine and see the output on your machine using the following command.

ssh root@10.10.10.111 “find locationtosearch –name ‘*.extension’”

eg: If you wish to search jpg files you may use the following command.

ssh root@10.10.10.111 “find /home/user –name ‘*.jpg’”

Open in new window


This will output all the files in remote machine with that extension.

SSHFS (Secure Shell File System)


This tool is used to mount remote SSH file systems. Sometimes SSHFS may not be there with your default SSH package. Just install it through yum.

yum install sshfs

Open in new window


Now you can use the following command to mount the remote directory.

sshfs root@10.10.10.111:/remotedirectory /mnt/remotedirectory

Open in new window


Now if you want to play some media files on remote machine you can try the following commands.


ssh root@10.10.10.111 “cat locationtomediafile” | player –

eg: If you wish to play a .avi file, just use the following command.

ssh root@10.10.10.111 “cat /home/user/test.avi” | vlc –

Open in new window


Above will open the avi file in your vlc player.

Compare a Remote File with Local File.


You can use the following command to check the differences between local files and remote file.

ssh root@10.10.10.111 “cat pathtoremotefile” | diff “pathtolocalfile”

eg:
ssh root@10.10.10.111 cat /home/user2/myfile | diff /home/user/myorginalfile

Open in new window


Copying between two remote machines through your machine.


You should use the following command to copy between two remote machines. Please make sure that you have access to both remote machines. Just use the following command.

ssh root@remotemachine1 “cd /path/to/directory/to/copy && tar –cf - .” | ssh root@remotemachine2 “cd /directorytocopyto/ && tar –xf –“

Open in new window


SSH security locks.


You can limit connections to SSH for particular time by using iptables.

Eg:
iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 120/second --limit-burst 1 -j ACCEPT

Open in new window


Here we assume the default ssh port as 22. Change it accordingly.

iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP

Open in new window


In the above example, if a user try to access using the,wrong password, his access is blocked for 120 seconds. After that he can try login only once / 120 seconds. You may use /second, /minute, /hour, or /day in the above example.

Allowing SSH for particular IP only.


Eg:
iptables -A INPUT -p tcp -m state --state NEW –source 10.10.10.111 --dport 22 -j ACCEPT

Open in new window


Make sure to save iptables after entering each rule.

Also if you are allowing only one ip to access SSH make sure to block the port 22.

iptables -I INPUT -p tcp --dport 22 -j DROP

Open in new window


How to Attach a screen over SSH.


There is no need to login to server. You can attach it directly using the following command.

ssh -t root@10.10.10.111 screen –r

Open in new window


Live SSH Transfer Speed check.


yes | pv | ssh $root@10.10.10.111 “cat > /dev/null”

Open in new window


This will show the live transfer speed. You need to install the Pipe Viewer package before executing this command.

yum install pv

Open in new window


SSH connection over compression.


SSH has a built in feature called compression. You can use the following command to enable it.

ssh -C root@10.10.10.111

Open in new window


Another important feature of SSH is SFTP (Secure file transfer protocol)


Openssh offers SFTP. With SFTP you can securely transfer files. To enable SFTP, add  the following line in your SSH configuration file.

Subsystem sftp /usr/lib/openssh/sftp-server

Open in new window


Restart ssh service and you should be able to use the sftp server:

Conclusion:


I was not able to cover all topics. This is just a overview of important commands.
Hope you found this article helpful! Feel free to drop your suggestion’s.
Thanks for reading.

ASV
3
Comment
Author:LinuxGuru
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 1

Expert Comment

by:Mahesh Y
Hi Arun,

Nice article..I would like to know which algorithm/encryption used by default when we do ssh to any linux server.
0

Featured Post

WordPress Tutorial 3: Plugins, Themes, and Widgets

The three most common changes you will make to your website involve the look (themes), the functionality (plugins), and modular elements (widgets).

In this article we will briefly define each again, and give you directions on how to install them.

Join & Write a Comment

Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month