I am having trouble installing openssh-server in Ubuntu. Particularly I want to know how to generate RSA public private key pair and the related concepts. What are the modifications to default config files most commonly applied? How to grant root permission to login? How to add firewall?
Asked
Active
Viewed 902 times
0
-
http://askubuntu.com/a/46935/158442, http://askubuntu.com/a/511836/158442, and "Do I have to modify the default configuration file to make the system more secure and stable?" - opinion poll. The entire question is going too broad. – muru Jun 07 '16 at 11:54
-
@muru this question is clearly not duplicate as it asks about how to generate public private key pair and use them to disable password authentication whereas the question referred to asks only about disabling password authentication. It does not say anything about how to secure server using private public key pair after disabling password authentication. Moreover the user also has enquiry about setting up of firewall on server in addition to rsa public private key authentication – rancho Jun 08 '16 at 13:51
-
that's what happens when you post too broad questions and repeatedly change them. – muru Jun 08 '16 at 13:52
-
@muru Actually my intention is not to ask question at all, I myself tried doing this but faced lots of difficulties as all the details were in numerous webpages and no single reference was there. So I jotted down everythng into a single document with the intention to help others. That is why I have also marked it as wiki – rancho Jun 08 '16 at 13:55
-
sorry, but you should stick to one problem per question. This sort of post doesn't belong here, community wiki or not. – muru Jun 08 '16 at 14:02
-
@muru also if you want you can change the question itself as my focus is only on the answer with the intention to help others. You may note that answer to this question has also been given by me only. – rancho Jun 08 '16 at 14:03
-
I could try, but your answer itself deals with ... 3? 4? separate problems. – muru Jun 08 '16 at 14:06
-
@muru in that case if I want to share my knowledge with others where should I post it? – rancho Jun 08 '16 at 14:06
-
here is fine, but please: one problem per post. For example, separate posts on installing SSH, setting up keys, disabling root login, hardening (and you'll find that there are questions on all of these). – muru Jun 08 '16 at 14:08
-
@muru no my answer deals with only one problem, A to Z about secure installation of OpenSSH server on Ubuntu, Just that I am not able to come up with a proper question – rancho Jun 08 '16 at 14:08
-
that itself should tell you something about the nature of your problem. And the A-Z of anything is obviously made up of many things. – muru Jun 08 '16 at 14:09
-
Anyway, I'm done with this argument. It doesn't look like you're willing to understand what went wrong with this post. – muru Jun 08 '16 at 14:10
-
@muru exactly that is what my point is, there are seperate posts on everything but no single post that deals with the complete process, and like me others who don't know anything but want to do the installation will have to do a lot of effort. – rancho Jun 08 '16 at 14:11
-
@muru This is the answer I was searching for but unfortunately none could come up with it https://help.ubuntu.com/community/WikiGuide – rancho Jun 08 '16 at 15:17
-
The community wiki is currently in lockdown due to spam. I could have pointed you there, but since you can't create pages there now, it'd have been pointless. – muru Jun 08 '16 at 15:19
1 Answers
0
Go to terminal and type:
sudo su -
apt-get install openssh-server openssh-client
Test the installation
ps -A | grep sshd
If the output is something like this:
<some number> ? 00:00:00 sshd
Then ssh daemon is running.
Again type in terminal;
ss -lnp | grep sshd
If the output is something like this:
0 128 :::22 :::* users:(("sshd",16893,4))
0 128 *:22 *:* users:(("sshd",16893,3))
Then it means that ssh daemon is listening for incoming connections
Now we edit the configuration file. First we make a backup of the original file.
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
Now we open the configuration file to edit it
sudo vim /etc/ssh/sshd_config
Weak passwords are easy to guess. The best practice is to use SSH keys instead of password. So we disable password authentication altogether. Go to the line
#PasswordAuthentication yes
and replace it with
PasswordAuthentication no
Enabling forwarding gives more options to attackers who have already guessed passwords. So we disable it. It gives us a little security Go to the lines
AllowTcpForwarding yes
X11Forwarding yes
and replace them with
AllowTcpForwarding no
X11Forwarding no
We can explicitly allow certain users and deny certain users to login. For that we have to put the following lines at the bottom of the config file.
AllowUsers Fred Wilma
DenyUsers Dino Pebbles
For optimal performance of laptop we allow two pending connections. Between the third and tenth connection the system will start randomly dropping connections from 30% up to 100% at the tenth simultaneous connection. This can done by the following line
MaxStartups 2:30:10
To log more error and other useful information we alter the line
LogLevel INFO
into
LogLevel VERBOSE
To scare away novice attackers we can display a banner We remove the hash tag from the front of the line
#Banner /etc/issue.net
to make it
Banner /etc/issue.net
Then we go to terminal and type:
sudo -H gedit /etc/issue.net
Then add the notice:
***************************************************************************
NOTICE TO USERS
This computer system is the private property of its owner, whether
individual, corporate or government. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.
Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials. Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.
****************************************************************************
If an IP address is tries to connect more than 10 times in 30 seconds, all the following attempts will fail since the connections will be DROPped. The rule is added to the firewall by running a single command in terminal:
sudo ufw limit ssh
Now we save and close the config file and restart ssh by typing in terminal:
systemctl restart ssh
Next we setup SSH keys There are two pairs of SSH keys public and private. Public keys are present in servers and private keys are present with individuals. If someone can match his private key with public key, only he/she can login. Furthermore optionally private keys can be protected by passphrase. Furthermore when the keys are generated by using 4096 bit encryption it is almost impossible to break them by brute force.
Step one - Create the RSA key pair:
Type in terminal
ssh-keygen -t rsa -b 4096
Here we use 64 bit encryption for more security
Step two - Store the keys and passphrase:
Follow the onscreen instructions, give desired location for storage of keys, reccommended to accept the default, opt for passphrase, give a strong passphrase, remember it.
The screen is something like this:
ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/demo/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/demo/.ssh/id_rsa. Your public key has been saved in /home/demo/.ssh/id_rsa.pub. The key fingerprint is: 4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 demo@a The key's randomart image is: +--[ RSA 2048]----+ | .oo. | | . o.E | | + . o | | . = = . | | = S = . | | o + = + | | . o + o . | | . o | | | +-----------------+
Step three - Copy the Public Key:
Type in terminal
ssh-copy-id user@123.45.56.78
Here 123.45.56.78 is the server IP address
In case of localhost it is
ssh-copy-id user@localmachinename
The screen is something like this
The authenticity of host '12.34.56.78 (12.34.56.78)' can't be established. RSA key fingerprint is b1:2d:33:67:ce:35:4d:5f:f3:a8:cd:c0:c4:48:86:12. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '12.34.56.78' (RSA) to the list of known hosts. user@12.34.56.78's password: Now try logging into the machine, with "ssh 'user@12.34.56.78'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
Now our installation is complete. To login we need to type in terminal:
ssh username@servername
Then when prompted for passphrase we need to provide it.
Now we to enable root login of opessh server. We first have to enable sudo password as it is disabled in Ubuntu by default.
For that, we type in terminal the following, screen will be something like this:
sudo passwd
[sudo] password for [username]: [Type your user password and press return]
Type new UNIX password: [Type the root password you want]
Retype new UNIX password: [Retype the root password you chosen before]
passwd: password updated successfully
Now we have to edit the /etc/sudoers file.
Here we use the editor called visudo It is because visudo is for the sole purpose of editing sudoes file
In ubuntu by default config files are opened by nano editor To change it type in terminal:
sudo update-alternatives --config editor
The following screen will appear:
There are 4 choices for the alternative editor (providing /usr/bin/editor). Selection Path Priority Status ------------------------------------------------------------ * 0 /bin/nano 40 auto mode 1 /bin/ed -100 manual mode 2 /bin/nano 40 manual mode 3 /usr/bin/vim.basic 30 manual mode 4 /usr/bin/vim.tiny 10 manual mode Press to keep the current choice[*], or type selection number:
Type 3 and press enter
Then type:
sudo visudo
Move to the line which reads
Defaults env_reset
Press enter
Above a new line gets created Type:
Defaults rootpw
use spacebar, not TAB
Press Esc --> : + x --> Enter
In terminal type:
gedit /etc/ssh/sshd_config
Move to the line:
PermitRootLogin password-prohibited
and change it to
PermitRootLogin yes
Save and close
Then restart SSH
service ssh restart
Then type in terminal:
ssh-copy-id root@localmachinename
Output screen may show:
The authenticity of host '12.34.56.78 (12.34.56.78)' can't be established. RSA key fingerprint is b1:2d:33:67:ce:35:4d:5f:f3:a8:cd:c0:c4:48:86:12. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '12.34.56.78' (RSA) to the list of known hosts. user@12.34.56.78's password: Now try logging into the machine, with "ssh 'user@12.34.56.78'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. Now we have granted private key access to root to login To test type: ssh root@localmachine
It will ask for passphrase. Passphrase remains the same. Give it. Now the root will be able to successfully login
Now for more security we have to add firewall Type:
app install ufw
Now start it
enable ufw
Get a list of currently running processes
ufw app list
OpenSSH will be listed there. ALow it through firewall
ufw allow OpenSSH
Restart firewall
systemctl restart ufw
Our installation is complete
rancho
- 4,036