SSH SECURE-SHELL
SSH SECURE-SHELL
SSH (Secure Shell) is a network protocol that enables secure remote connections between two systems. System admins use SSH utilities to manage machines, copy, or move files between systems.
SSH transmits data over encrypted channels, security is at a high level.
Installing ssh
The package name of ssh is openssh-server.
Start the sshd daemon and set to start
confirm the port 22 is open using netstat -ntlp
Configuration file is /etc/ssh/sshd_config
Now you can connect from the client,
Key Based authentication in ssh
In order to increase your server security, set up an SSH password-less authentication for your new user by generating a pair of SSH Key – which contains a public and private key, but you need to create one. This will increase the security of your server by requiring a private SSH key to connect to the system.
Once the key is generated, it will ask you to enter the passphrase in order to secure the private key. You can enter a strong passphrase or choose to leave the passphrase empty if you want to automate administrative tasks via SSH server.
The newly created files are stored in /root/.ssh directory
Once the SSH key has been generated, you need to copy the generated public key pair to a remote server by running the ssh-copy-id command with the username and IP address of the remote server as shown.
SSH Security
Changing the default port number
Ssh by default uses the port 22 so if anyone knows your ip they just connect to your ssh service and simply try some passwords if they are lucky then they can get access to your machine. So it's better to always change the port number from standard 22 to some non standard port number. Here i am going to change my port number to 2000.
Open the configuration file in vim. Change the options Port 22 from Port 2000
Make sure you add the new port number to your firewall so it doesn't block the incoming connection.
#firewall-cmd --permanent --add-port=2000/tcp
#firewall-cmd --reload
Restart the sshd service then use netstat command to confirm it.
Testing: now you can connect from the client using ssh root@192.168.1.100 -p 2000
Restricting direct root login
Root is the default account present in every linux distribution. So it's very important to protect root accounts from direct ssh login.
Make sure you have created a regular user and set a password for the user before making this change.
Open the configuration file and change permitrootlogin yes to permitrootlogin no.
Restart the sshd service.
Testing: you can now connect to the server using any other account after connecting you can su to the root account. I am going to connect to the account linux. I have already changed the port number to 2000 so i need to also specify it while connecting.
Limit User Logins
SSH logins can be limited to only certain users who need remote access. If you have many user accounts on the system then it makes sense to limit remote access to only those that really need it. Add an AllowUsers line followed by a space separated list of usernames to /etc/ssh/sshd_config.
"You must add the option AllowUsers manually"
Go to the bottom of the file and add the following line. Now only linux and myadmin can direct ssh permission to my server.
ssh logfile
/var/log/secure
cat /var/log/secure | grep sshd | tail
scp and rsync
Both of them used for sending datas from one system to another.
Copy a Local file to remote system
[localhost]#scp -r /local/directory remote_username@10.10.0.2:/remote/directory
Copy a Remote File to a Local System
[localhost]#scp remote_username@10.10.0.2:/remote/file.txt /local/directory
rsync -r /local/directory remote_username@10.10.0.2:/remote/directory
Comments
Post a Comment