ssh - Secure Shell

tested on Centos v7


The ssh, or Secure Shell, is a cryptographic network protocol used to securely log onto remote systems. ssh was designed as a replacement for Telnet and for other unsecured remote shell protocols. It is the most common way to access remote Linux servers.

It can be used to log into a Linux server from another Linux server using ssh command. It can also be used from any computer that supports ssh compatible terminal emulation software such as putty client


Running the ssh server


The ssh service is probably already running on your Linux server. Use systemctl status command to see if it is running

# systemctl status sshd.service

output:

● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since 2015-11-21 09:32:37 EST; 1h 22min ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 9434 (sshd)
   CGroup: /system.slice/sshd.service
           └─9434 /usr/sbin/sshd -D

Nov 21 11:55:21 localhost.localdomain sshd[11234]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0...=root
Nov 21 11:55:26 localhost.localdomain sshd[11236]: Accepted password for username from 99.99.226.96 port 61586 ssh2
tty=ssh ...=root
...


If not, try starting it

To start ssh

# systemctl start sshd.service

To install ssh if not already installed.

install ssh server
yum install openssh-server.x86_64 

once installed you may want to open up port in firewall

# iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT

where:

  • I = insert
  • INPUT 1 = first position
  • -p tcp --dport 22 = accept tcp packets on port 22


Testing ssh

If everything is set up we should be able to to connect to remote IP with user username from remote machine:

ssh username@192.168.1.1 


The ssh configuration file

to edit ssh configuration file

# vi /etc/ssh/sshd_config

If your ssh access is accessible from the web, you proabaly want to make sure hackers can't try to guess your root user's password. To accomplish this set PermitRootLogin=no. Make sure to set up and test another user first

PermitRootLogin  no

Other keywords give you some control on who can use ssh. These include:

AllowGroups
AllowUsers
DenyGroups
DenyUsers

Other security considerations

Time allowe to login:

LoginGraceTime 30s

Change the ssh port number (security by obscurity):

Port 2222

limit IP addresses that ssh will listen to

ListenAddress 192.1.1.4
ListenAddress 192.1.1.5

A set idle timeout time can be achived with these settings

ClientAliveInterval 300
ClientAliveCountMax 0


Using ssh to copy files across networks

scp stands for "secure copy". It is similar to the cp command except one or both of the locations may be on a remote system. scp copies files securely between hosts on a network. It uses ssh for data transfer, and uses the same authentication and provides the same security as ssh. scp will ask for passwords or passphrases if they are needed for authentication.


Example

scp /home/backups/daily_backup*.tar.gz username@mysite.com:/home/newbackups

Where

  • local directory = /home/backups/
  • remote directory = /home/newbackups/
  • remote site = mysite.com
  • user on remote site = username