Secure Shell(SSH) - Tips and Tricks
Linux Server Admin with 14+ years experience in Linux Server Administration
Published:
Browse All Articles > Secure Shell(SSH) - Tips and Tricks
SSH (Secure Shell) - Tips and Tricks
As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sends information as plain text through the network. While using SSH, the entire session, including password transmission, is encrypted. Using SSH, we can access other systems remotely, execute commands, transfer/move files etc. SSH uses two major protocols. They are SSH1 or SSH-1 and SSH2 or SSH-2. Comparing both protocols, SSH-2 is more secure. SSH is available for Windows, Unix, Macintosh etc. In short SSH, is a powerful tool, and there are lots of possibilities. Here are some awesome tips and tricks on how to use SSH for daily administration duties.
Before we start let me brief some basic things regarding SSH.
To access a remote system using SSH, we need the following details.
1.A SSH client
2.Remote servername/IP
3.SSH Port number (By default SSH use port number as 22)
4.Username in remote server
5.Password of the user
If you are using a Unix/Linux machine, you can use Terminal as SSH client. Execute the following command in terminal section to access the remote machine using SSH.
ssh username@remoteservername/
eg:
ssh root@10.10.10.111
This will prompt for password. Enter the password and you are in. For remote servers having custom ssh port, you need to mention the port number in the command line.
ssh username@remoteservername/
eg:
ssh root@10.10.10.111 -p 1032
If you are using some other Operating system, you can use a SSH client like putty. Putty can be downloaded from the following url.
Putty Download
Now moving to SSH Server side:
Default Configuration file of SSH = /etc/ssh/sshd_config
Default Port Number = 22
SSH Start/Stop/Restart = /etc/rc.d/init.d/sshd or /etc/init.d/ssh (start/stop/restart)
If we are making any changes to sshd_config, we need to restart the ssh service for changes to take effect.
Moving to the configuration part, there are a lots of directives in the sshd_config which is the main SSH configuration file. Lets discuss one by one.
1. Change SSH port number (Port)
As mentioned above, SSH runs on default port number 22. You will be able to find the following entry in your SSH configuration file for the SSH port number.
Port 22
To change port number just replace 22 with the required port number. Its always good to use a number higher than 1024 because by default port scanners will not scan for high port numbers.
Port 1033
Restart sshd using
/etc/rc.d/init.d/sshd restart
Also make sure to open the port in the firewall. If you are using iptables you can use the following command to open a port number.
iptables -I INPUT -p tcp --dport 1033 -j ACCEPT
/etc/rc.d/init.d/iptables save
Check if its open using the following command.
iptables -nL | grep 1033
2. SSH protocol (Protocol)
You can see the SSH protocol mentioned as below in your configuration file.
Protocol 2,1
Its good to set the protocol to 2. As discussed above, SSH-2 protocol is more secure. Change the above line to
Protocol 2
Restart sshd.
3. Permit Root Login (PermitRootLogin)
Using this directive you can enable/disable root login to server. Allowing direct root login through SSH is a security risk. So I would recommend you to disable root logins. Just find the following line to disable root login.
Change
PermitRootLogin yes
to
PermitRootLogin no
Restart sshd.
4. Login Time Limit (LoginGraceTime)
This option sets a time limit for the user to authenticate. If this time exceeds and the user has not yet authenticated, the server closes the connection from that user. Its better to leave the option to the default value. You can change it if required.
LoginGraceTime 2m
5. Maximum login attempts (MaxAuthTries)
This directive will set the maximum login attempts allowed per connection.
MaxAuthTries 6
Reduce the number for security reasons.
6. Key authentication (PubkeyAuthentication)
Enabling key based authentication means, you can access the server only using your private key. You need to generate a key pair and add the private key to your remote machine and add the public key to the server so that the server can be accessed using the keys. Un-comment the following lines if you wish to activate key based authentication.
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
RSAAuthentication yes
PasswordAuthentication no
Restart sshd.
When we are using " PasswordAuthentication no", any person who tries to connect to your SSH service and doesn't have a public key on the server, will be rejected without even seeing the login prompt.
Refer the following article for details regarding key based authentication.
SSH Access Using Public Key
Now we can check some SSH security tips & tricks
Creating custom Banner for SSH:
If you wish to display some message/warning/announceme
vi /etc/motd
You can add a message like this.
* This is a my Private Server. You are not supposed to be here.*
You can also place the banner in some location like /home/user/bannet.txt and mention the path in your ssh configuration file.
Find the following directive and mention the path.
Banner /home/user/bannet.txt
Restart sshd.
You can edit the file named /etc/issue and include any message which will be displayed before the login prompt.
SSH Tunneling:
SSH tunneling is an awesome method where you can tunnel all the traffic from your local machine to a remote machine. SSH tunneling consists of an encrypted tunnel created through SSH protocol. This method is helpful when you are behind some firewalls. You can easily overcome any restrictions due to firewall using tunneling.
Refer the following article for more details regarding tunneling.
SSH Tunneling
Creating a X(Graphical) session over a ssh tunnel:
With this option you can run application/software in GUI mode through SSH. You need to enable the following line in your ssh configuration file to accomplish this.
X11Forwarding yes
Restart sshd.
Now on client end, run the following command to access the server.
ssh -X root@10.10.10.111
You can run a sample program like firefox or kate using following commands.
firefox
Just wait for some time and you will see firefox browser on client screen. Sometimes it will throw a error like "Error: no display specified". You need to set display using the following command.
export DISPLAY=IPaddressofmachine
eg:
export DISPLAY=10.10.10.111:0.0
Now run firefox and it will work.
TCP wrappers:
You can mention which hosts on a network to be able to connect to SSH service by utilizing two simple files.
1. /etc/hosts.allow
2. /etc/hosts.deny
To block all from SSH service add the following entry in /etc/hosts.deny
sshd: ALL
No need to do anything else. Just adding the above line will reject everyone from accessing the server via SSH.
If you wish to allow only some person, you can add them to the /etc/hosts.allow
sshd: 10.10.10.111
Now all except 10.10.10.111 is blocked from using SSH.
You can also mention the ip ranges.
SCP (Secure Copy)
SCP is a file copying/transferring tool through SSH that’s included with Openssh package. You should use the following command if you wish to copy/transfer files between machines running SSH.
scp source destination (General Syntax)
eg:
scp /home/user/myfile root@10.10.10.111:/home/user2
Above command will copy the myfile from your machine to the /home/user2 of remote machine.
To copy a folder you can use the following command.
scp –r /home/user/myfolder roor@10.10.10.111:/home/user2
This will copy the myfolder directory from your machine to the /home/user2 of remote machine.
Editing files on a Remote machine using SCP.
You can edit files in remote machine using the simple vi command and scp. Here you go.
vi scp://location to file in remote machine
eg:
vi scp://root@10.10.10.111//etc/my.cnf
Search Files on remote Machine
You can easily search files on a remote machine and see the output on your machine using the following command.
ssh root@10.10.10.111 “find locationtosearch –name ‘*.extension’”
eg: If you wish to search jpg files you may use the following command.
ssh root@10.10.10.111 “find /home/user –name ‘*.jpg’”
This will output all the files in remote machine with that extension.
SSHFS (Secure Shell File System)
This tool is used to mount remote SSH file systems. Sometimes SSHFS may not be there with your default SSH package. Just install it through yum.
yum install sshfs
Now you can use the following command to mount the remote directory.
sshfs root@10.10.10.111:/remotedirectory /mnt/remotedirectory
Now if you want to play some media files on remote machine you can try the following commands.
ssh root@10.10.10.111 “cat locationtomediafile” | player –
eg: If you wish to play a .avi file, just use the following command.
ssh root@10.10.10.111 “cat /home/user/test.avi” | vlc –
Above will open the avi file in your vlc player.
Compare a Remote File with Local File.
You can use the following command to check the differences between local files and remote file.
ssh root@10.10.10.111 “cat pathtoremotefile” | diff “pathtolocalfile”
eg:
ssh root@10.10.10.111 cat /home/user2/myfile | diff /home/user/myorginalfile
Copying between two remote machines through your machine.
You should use the following command to copy between two remote machines. Please make sure that you have access to both remote machines. Just use the following command.
ssh root@remotemachine1 “cd /path/to/directory/to/copy && tar –cf - .” | ssh root@remotemachine2 “cd /directorytocopyto/ && tar –xf –“
SSH security locks.
You can limit connections to SSH for particular time by using iptables.
Eg:
iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 120/second --limit-burst 1 -j ACCEPT
Here we assume the default ssh port as 22. Change it accordingly.
iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP
In the above example, if a user try to access using the,wrong password, his access is blocked for 120 seconds. After that he can try login only once / 120 seconds. You may use /second, /minute, /hour, or /day in the above example.
Allowing SSH for particular IP only.
Eg:
iptables -A INPUT -p tcp -m state --state NEW –source 10.10.10.111 --dport 22 -j ACCEPT
Make sure to save iptables after entering each rule.
Also if you are allowing only one ip to access SSH make sure to block the port 22.
iptables -I INPUT -p tcp --dport 22 -j DROP
How to Attach a screen over SSH.
There is no need to login to server. You can attach it directly using the following command.
ssh -t root@10.10.10.111 screen –r
Live SSH Transfer Speed check.
yes | pv | ssh $root@10.10.10.111 “cat > /dev/null”
This will show the live transfer speed. You need to install the Pipe Viewer package before executing this command.
yum install pv
SSH connection over compression.
SSH has a built in feature called compression. You can use the following command to enable it.
ssh -C root@10.10.10.111
Another important feature of SSH is SFTP (Secure file transfer protocol)
Openssh offers SFTP. With SFTP you can securely transfer files. To enable SFTP, add the following line in your SSH configuration file.
Subsystem sftp /usr/lib/openssh/sftp-server
Restart ssh service and you should be able to use the sftp server:
Conclusion:
I was not able to cover all topics. This is just a overview of important commands.
Hope you found this article helpful! Feel free to drop your suggestion’s.
Thanks for reading.
ASV
Linux Server Admin with 14+ years experience in Linux Server Administration
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (1)
Commented:
Nice article..I would like to know which algorithm/encryption used by default when we do ssh to any linux server.