If you are managing a Linux server, you may need to remotely access it from time to time. One way to do this securely is to use SSH (Secure Shell). In this beginner’s guide, we will walk you through the steps to configure an SSH server on a Linux server.
What is SSH?
SSH is a secure protocol used for remote access to a server. It provides an encrypted connection between the client and server, making it a secure way to transfer data and execute commands on the server. SSH is often used by system administrators and developers to manage Linux servers and deploy applications.
Step 1: Install SSH server
The first step to configure an SSH server is to ensure that it is installed on your Linux server. Most Linux distributions come with an SSH server installed by default. However, if you are not sure, you can check if the SSH server is installed by running the following command:
sudo systemctl status ssh
If the SSH server is not installed, you can install it using the following command:
sudo apt-get install openssh-server
Step 2: Configure SSH server
Once you have installed the SSH server, you need to configure it to meet your requirements. The SSH server configuration file is located at /etc/ssh/sshd_config
.
Before making any changes to the configuration file, it is important to make a backup copy of the original file in case you need to restore it later. You can make a backup copy using the following command:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
Next, open the configuration file using your favorite text editor:
sudo nano /etc/ssh/sshd_config
Here are some common settings that you may want to modify:
- Port: The default SSH port is 22. You can change it to a different port to improve security.
- PermitRootLogin: Set this to
no
to disable root login via SSH. This is recommended for security reasons. - PasswordAuthentication: Set this to
no
to disable password authentication and only allow key-based authentication.
Make the necessary changes to the configuration file and save it. Then, restart the SSH server for the changes to take effect:
sudo systemctl restart ssh
Step 3: Configure firewall
By default, the SSH server listens on port 22. If you have changed the SSH port, you need to update your firewall settings to allow traffic on the new port.
If you are using the UFW firewall, you can open the SSH port using the following command:
sudo ufw allow <port>/tcp
Replace <port>
with the new SSH port that you have configured.
Step 4: Generate SSH keys
To connect to the SSH server, you need to have SSH keys. SSH keys are a pair of public and private keys used for authentication. The private key is stored on your local machine, while the public key is stored on the server.
To generate SSH keys, run the following command on your local machine:
ssh-keygen
This will generate a pair of public and private keys in the ~/.ssh
directory. If you are prompted to enter a passphrase, you can leave it blank or enter a passphrase for added security.
Step 5: Add SSH public key to the server
Next, you need to add your SSH public key to the server. You can do this by copying the contents of the public key file to the server’s authorized_keys
file.
To do this, run the following command on your local machine:
ssh-copy-id user@server
``
Step 6: Configure the SSH server
Now that OpenSSH is installed, we need to configure it to our liking. The configuration file is located at /etc/ssh/sshd_config
. However, it’s recommended to make a copy of the original configuration file before making any changes. This way, you can easily revert to the original configuration if needed. To make a copy, run the following command:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
Next, open the configuration file in a text editor using the following command:
sudo nano /etc/ssh/sshd_config
This will open the configuration file in the nano text editor. You can use any text editor of your choice.
Here are some important settings you may want to modify:
- Port: By default, SSH listens on port 22. It’s a good security practice to change this port to something else, such as 2222. To do this, find the line that says
#Port 22
and change it toPort 2222
. Remove the#
at the beginning of the line to uncomment it. - PermitRootLogin: By default, the SSH server allows root login. This is a security risk, as it makes it easier for attackers to gain access to your system. It’s recommended to disable root login and use a regular user account instead. Find the line that says
PermitRootLogin yes
and change it toPermitRootLogin no
. - PasswordAuthentication: By default, SSH allows password authentication. This is less secure than using public key authentication, as passwords can be guessed or intercepted. It’s recommended to disable password authentication and use public key authentication instead. Find the line that says
#PasswordAuthentication yes
and change it toPasswordAuthentication no
. Remove the#
at the beginning of the line to uncomment it. - AllowUsers: By default, the SSH server allows any user with valid credentials to log in. To restrict SSH access to specific users, use the
AllowUsers
option. For example, if you only want the usersalice
andbob
to be able to log in, add the lineAllowUsers alice bob
.
After making any changes to the configuration file, save the file and exit the text editor.
Step 7: Restart the SSH server
Finally, to apply the changes you’ve made to the SSH server configuration, you need to restart the SSH server. To do this, run the following command:
sudo systemctl restart sshd
This will restart the SSH server and apply the new configuration settings.
Step 8: Connect to the SSH Server
Now that your SSH server is configured and running, you can connect to it from your local machine or any other remote device. To connect to the SSH server, you’ll need an SSH client.
For Windows users, you can use popular SSH clients like PuTTY or PowerShell. For macOS and Linux users, you can use the built-in Terminal application.
To connect to the SSH server, open your SSH client and enter the following command:
ssh username@server_ip -p port
Replace username
with your username on the server, server_ip
with the IP address of your Linux server, and port
with the port number you configured in the SSH server’s configuration file (e.g., 2222 if you changed the default port).
If you’re connecting from the same network, you can simply use the IP address of your server. If you’re connecting from a different network, you’ll need to use the public IP address or domain name associated with your server.
When prompted, enter your password or passphrase (if you set one for your SSH key). Once authenticated, you’ll be logged into your Linux server via SSH.
Additional SSH Server Configuration Options
While the steps outlined in this guide cover the basic configuration of an SSH server, there are many additional options you can explore to further enhance security and customize your SSH server setup. Here are a few options you might consider:
- Key-based authentication: Instead of using passwords, you can set up key-based authentication, which is more secure and convenient. This involves generating an SSH key pair on your local machine and adding the public key to the server’s
~/.ssh/authorized_keys
file. - Firewall settings: Configure your firewall to allow SSH traffic on the port you specified for your SSH server. This will help protect your server from unauthorized access.
- Two-factor authentication (2FA): Implementing 2FA adds an extra layer of security to your SSH server by requiring users to provide a second form of authentication, such as a time-based one-time password (TOTP) generated by an authentication app on their mobile device.
- Logging and monitoring: Enable SSH server logging to keep track of SSH connection attempts and monitor for any suspicious activity.
- SSH hardening: Implement additional security measures like disabling certain SSH protocol versions or ciphers, limiting SSH access to specific IP addresses, and more.
Remember to always consult official documentation and best practices when configuring your SSH server, as additional options and security measures may vary depending on your specific Linux distribution and version.
Conclusion
Configuring an SSH server on a Linux server is an essential step in enabling secure remote access. By following the steps outlined in this beginner’s guide, you can set up an SSH server, customize its configuration, and establish secure remote connections to your Linux server.
SSH provides a secure and encrypted way to manage your Linux server remotely, allowing you to execute commands, transfer files, and perform administrative tasks with ease. It’s a powerful tool that every Linux server administrator should be familiar with.
Remember to regularly update your server, follow best security practices, and monitor SSH access to maintain the security and integrity of your Linux server.
Happy remote server administration!