insights/content/tutorials/ssh-client-server-security-simplicity/index.md

---
title: "SSH Client - Server (Security & Simplicity)"
description: Hardening SSH access by disabling root SSH access, change the default port, and utilize public and private keys.
summary: Hardening SSH access by disabling root SSH access, change the default port, and utilize public and private keys.
# linkTitle:
date: 2012-05-17T17:09:21+07:00
lastmod:
draft: false
noindex: false
# comments: false
nav_weight: 1000
series:
#  - Tutorial
categories:
  - SysAdmin
  - Security
tags:
  - Linux
  - SSH
images:
authors:
  - ditatompel
---

For System Administrators, using **SSH** instead of **Telnet** is likely a daily routine when accessing Linux/Unix-based systems. Although the password transmitted to the server has been encrypted and no longer appears as plaintext, the default installation of OpenSSH is considered somewhat insecure.

This time, I'd like to share some common tricks for tightening up SSH access. This includes disabling SSH access for the root user, utilizing public and private keys, and even modifying the default port. Additionally, I'll be sharing a few tips to make server management easier and simpler.

To participate in this discussion, you should have:

- A client PC with Linux running KDE 4.8.
- A remote SSH server (Remote PC) with an IP address of 202.150.169.245.
- Basic understanding of Linux command-line interfaces, such as `chmod`, `ssh`, `groupadd`, and `useradd`.
- The ability to use text editors like `vi`/`vim`/`nano`/`pico`, etc.

## Disabling Root Access via SSH

The "root" user is undoubtedly present on Unix/Unix-like systems. If we don't disable this user, it will make it easier for attackers to perform brute-force attacks against the root account.

Before disabling root access, we need to create a new user with the right to use the SSH service and add them to the sudoers list.

1. Access the SSH server using the "root" user first.

```bash
ssh root@202.150.169.245
```

2. Once logged in to the SSH server, create a new user and group. (You can refer to `man useradd` for more information)

```bash
groupadd ditatompel
useradd -s /bin/bash -d /home/ditatompel -g ditatompel -G root -m ditatompel
```

3. Set the password for this new user with the command `passwd ditatompel`.

![Create User](create-user.png#center)

4. Then, add the "ditatompel" user to the sudoers list. Edit the `/etc/sudoers` file and add the following permission:

```plain
ditatompel     ALL=(ALL)    ALL
```

5. Next, edit the `/etc/ssh/sshd_config` file and add/edit the following configuration:

```plain
PermitRootLogin no
AllowUsers ditatompel
```

6. Restart the SSH daemon:

```bash
service sshd restart #(For CentOS, etc.)
/etc/init.d/ssh restart #(for Debian)
/etc/rc.d/sshd restart #(FreeBSD, Arch, Gentoo, etc.)
```

> **Important:** After restarting, ensure that any currently connected SSH sessions do not get terminated or closed so you can still access and edit the configuration if there's an error.

7. Try accessing the SSH server using the new user, which is "ditatompel".

```bash
ssh ditatompel@202.150.169.245
```

## Changing the Default SSH Port (Optional)

Changing the default SSH port (`22`) can help prevent brute-force attacks that simply grab scripts from the internet since most brute-force SSH scripts default to port `22` for their attack attempts.

**NOTE:** If your server's firewall is active, you'll need to open access to the new port, for example if you're using `iptables`:

```bash
iptables -A INPUT -p tcp --dport 1337 -j ACCEPT
iptables save
service iptables restart
```

- Remember not to close any existing SSH connections that are already connected to avoid unwanted issues.

Next, to change the port, edit the `/etc/ssh/sshd_config` file and add/edit the following configuration:

```plain
Port 1337
```

Then, restart the SSH daemon.

As we can see, the SSH daemon is now listening on port `1337`. To confirm this, you can use the `netstat` command.

```bash
netstat -plnt
```

Finally, always test again to ensure that your server can be accessed.

## Using Public and Private Keys

1. First, create a _keypair_ for SSH client and SSH server using `ssh-keygen`.

```bash
ssh-keygen -b 4048 -f oldServer-169-245 -t rsa -C "ditatompel@oldServer-169-245"
```

This will generate two files: `oldServer-169-245` (private key) and `oldServer-169-245.pub` (public key). The former is our private key, while the latter is our public key that we'll place on our server.

2. Move these two files to the `~/.ssh` directory and change their permissions to `600`.

```bash
mv oldServer-169-245 oldServer-169-245.pub ~/.ssh/
find ~/.ssh/ -type f -exec chmod 600 {} +
```

![SSH-keygen](sshkeygen.jpg#center)

3. On the server, create a hidden directory `.ssh` in the user's home directory (`ditatompel`) and change its permissions to `700`.

```bash
mkdir ~/.ssh; chmod 700 ~/.ssh
```

4. Copy our public key to the remote PC (_SSH Server_) with the name `authorized_keys` and file permission `600`. (You can use `sftp` or `scp` to copy the file):

Example:

```bash
cd ~/.ssh
sftp -P 1337 ditatompel@202.150.169.245
```

```plain
sftp> put oldServer-169-245.pub /home/ditatompel/.ssh/authorized_keys
sftp> chmod 600 /home/ditatompel/.ssh/authorized_keys
```

![SFTP](sftp.png#center)

5. After that, edit the file `/etc/ssh/sshd_config` and add/configure the following to prevent users from accessing shells even if they know the password, and force them to use private keys:

```plain
PasswordAuthentication no
```

6. Restart SSH _daemon_ and try again with the command:

```bash
ssh -i ~/.ssh/oldServer-169-245 -p 1337 ditatompel@202.150.169.245
```

![SSH pass](ssh-pass.png#center)

## Managing Server Using FISH Protocol

This is my favorite part, and I think there might be some people who don't know about it yet.

**FISH** (_Files transferred over Shell protocol_) is a network protocol that uses **Secure Shell (SSH)** or **Remote Shell (RSH)** to transfer files between computers. We use **Dolphin**, which is already built-in with **KDE**. In addition to Dolphin, KDE users can also use `Konqueror` for the FISH protocol. For Gnome users, you can also use `Nautilus` with a third-party plugin.

To do this, simply click on the breadcrumb navigation directory and type `{protocol}{user}@{server}:{port}/{directory}` and press Enter.

Example :

```plain
fish://ditatompel@202.150.169.245:1337/var/www/path/to/directory/you/want/to/access/
```

![Fish protocol](fish.png#center)

After that, we will be prompted to enter our SSH password. However, there is a problem that FISH protocol on Dolphin/Konqueror does not know whether we are using public and private keys to access the server.

So, we can take advantage of the **ssh config** feature (located in `~/.ssh/config` for per-user configuration or `/etc/ssh/sshd_config` for system-wide).

For per-user configuration, there is usually no file `~/.ssh/config`, so we need to create it first by adding a configuration `IdentityFile` so that the program knows that we must use our **private key** SSH:

```plain
IdentityFile /home/dit/.ssh/oldServer-169-245
```

What if we have many servers and many private keys for each server? Let's continue reading.

## Configuring ~/.ssh/config

For system administrators responsible for managing numerous servers with diverse login access requirements, recalling port numbers, passwords, users, and so on can be a daunting task. Not to mention keeping track of application access on each server. Therefore, we can utilize the SSH config feature that enables us to access the shell by simply remembering the IP address and passphrase of each server.

Here is an example configuration for multi-server identities:

```plain
Host 202.150.169.245
Hostname 202.150.169.245
        User ditatompel
        Port 1337
        IdentityFile /home/dit/.ssh/oldServer-169-245

Host xxx.xx.xx.xxx
HostName xxx.xx.xx.xxx
        User ditakeren
        Port 12345
        IdentityFile /home/dit/.ssh/blahblah1

Host xxx.xxx.xxx.xx
Hostname xxx.xxx.xxx.xx
        User ditacakep
        Port 23213
        IdentityFile /home/dit/.ssh/blahblah2

# dan seterusnya
```

![~/.ssh/config](ssh-config.png#center)

With this, we can use the SSH command with:

```bash
ssh 202.150.169.245
```

or by adding it to a network directory by accessing **Network** > **Add Network directory**, and filling in the necessary remote PC (SSH server) information.

![Fish Protocol](fish-protocol1.png#center)

That's all from me for now; please feel free to add or correct as you see fit, I would greatly appreciate it.

References:

- [http://linux.die.net/man/5/ssh_config](http://linux.die.net/man/5/ssh_config).
- [http://kb.mediatemple.net/questions/1625/Using+an+SSH+Config+File](http://kb.mediatemple.net/questions/1625/Using+an+SSH+Config+File).