In the old days of dial-up, Telnet was the preferred network administration tool for managing services. Telnet was a network protocol used for interacting with terminal services that ran on TCP/IP port 23 unencrypted. Unfortunately, it was not secure enough and had to be replaced by its successor SSH Secure Shell. SSH provides two key features that were never implemented in telnet, Public Key Authentication and Transport Layer Protocol. Public key authentication is an alternative means of identifying yourself to the server, instead of typing a password. The Transport Layer Protocol which runs on top of TCP/IP provides strong encryption, server authentication, and integrity protection. I won’t get into too many details of these features but an overview should have a great understanding of why telnet has been replaced by SSH.
Let’s get started.
Installing the Secure Shell Server
Install the required software for your server to provide sshd services : On Fedora distribution Command :
sudo yum install sshd -y On Ubuntu distribution Command :
sudo apt-get install opensshd -y
Managing the SSHD Service :
Once the installation has been complete or we have verified sshd is in the system, we can start the service by using the service command :
service sshd start or
systemctl start sshd.service
We can enable sshd service on start-up by running :
chkconfig sshd on or
systemctl enable sshd.service
Let’s verify the service is actually running :
service sshd status or
systemctl is-active sshd.service
Securing the service :
Provide some security to your sshd server by editing the configuration file located in /etc/ssh/sshd_config.
- Change standard port to 1337 :
- Restrict which users are allowed to access your sshd service :
- Deny access to root login via SSHD :
- Specifies whether pure RSA authentication is allowed. :
- Allow Public Key Authentication :
- Deny access to anyone without a password :
- Specifies the file that contains the public keys for authentication :
- Only enable SSHD Protocol 2, Protocol 1 is less secure :
- Is the service up, verify this with
service sshd status?
- If your service is not up, please do start it :
service sshd start
- Configuration has not set in, reload your service :
service sshd reload
- I cannot connect to my Linux server from outside after I changed the port. :
firewall-cmd --add-port 1337/tcp --permanent&
semanage port -a -t ssh_port_t -p tcp 1337
- Ahh, I am getting brute-forced ! Please help :
iptables -A INPUT -p tcp --dport 1337 -m state --state NEW -m recent --set --name ssh --rsource
iptables -A INPUT -p tcp --dport 1337 -m state --state NEW -m recent ! --rcheck --seconds 60 --hitcount 5 --name ssh --resource -j ACCEPT
Quote of The Day :
“Do. Or do not. There is no try.” - Yoda
I wanted to throw a little bit of systemd stuff because it has been adapted to the newer versions of Linux and it is said that we are moving to systemd and removing the older stuff like the ‘service’ command.
If you have any questions or regards please leave me a comment below.
MLA Citations :
- Galbraith, J., and R. Thayer. “RFC 4716 - The Secure Shell (SSH) Public Key File Format.” RFC 4716 - The Secure Shell (SSH) Public Key File Format. N.p., Nov. 2006. Web. June 2016. Website retrieved from: Public Key Authentication
- Ylonen, T., and C. Lonvick. “The Secure Shell (SSH) Transport Layer Protocol.” Network Working Group, Jan. 2006. Web. June 2016. Website retrieved from: Transport Layer Protocol
- Ylonen, T., and C. Lonvick. “RFC 4253 - The Secure Shell (SSH) Transport Layer Protocol.” RFC 4253 - The Secure Shell (SSH) Transport Layer Protocol. Network Working Group, Jan. 06. Web. June 2016. Website retrieved from:Secure Shell
- Ylonen, T., A. Campbell, B. Beck, M. Friedl, N. Provos, T. De Raadt, and D. Song. “Sshd_config – OpenSSH SSH Daemon Configuration File.” OpenBSD Manual Pages. OpenBSD, June 2016. Web. June 2016. Website retrieved from: /etc/ssh/sshd_config
- Postel, J., and J. Reynolds. “Telnet Protocol Specification.” Telnet Protocol Specification. Network Working Group, May 1983. Web. June 2016. Website retrieved from: Telnet