Aug 28

How to setup an sftp/ssh server with denyhosts on ubuntu

Tag: Linux,tutorialerm @ 2:50 am

Throughout this document I will have <keywords> encapsulated in brackets. Substitute what the keyword is for the appropriate value. For instance <username>@localhost would become erm@localhost, or whatever your username is.

Cliffnotes version commands:

Install open ssh:
$ sudo apt-get install openssh-server

Backup ssh config:
$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.`date +%Y-%m-%d`.bak

Edit /etc/ssh/sshd_config:
$ sudo nano /etc/ssh/sshd_config

Enable sftp:
Subsystem sftp /usr/lib/openssh/sftp-server
*save*

Restart ssh:
$ sudo /etc/init.d/ssh restart
OR
$ sudo service ssh restart

Test your server:
$ ssh <username>@localhost

Test your connection:
$ echo $SSH_CLIENT

Log out of ssh:
$ <ctrl+d>
OR
$ exit

Install denyhosts:
$ sudo apt-get install denyhosts

Backup denyhosts config:
$ sudo cp /etc/denyhosts.conf /etc/denyhosts.conf.`date +%Y-%m-%d`.bak

Edit denyhosts config:
$ sudo nano /etc/denyhosts.conf

Edit lines:
BLOCK_SERVICE = ALL
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_RESTRICTED = 1
RESET_ON_SUCCESS = yes
*save*

Restart denyhosts:
$ sudo /etc/init.d/denyhosts restart
OR
$ sudo service denyhosts restart

Get your remote ip:
Visit: ipchicken.com or whatismyip.com

Get your lan/local ip:
$ ifconfig

Login via remote computer from inside lan:
$ ssh <username>@<localip>

Login via remote computer from outside lan:
$ ssh <username>@<remoteip>


Here’s the long drawn out version:

Install openssh.
$ sudo apt-get install openssh-server

All system wide ssh related files are located in /etc/ssh/.

Before you start editing your sshd_config file it’s always a good idea to backup. This will create a backup of your current config file. The end result will look like /etc/ssh/sshd_config.YYYY-MM-DD.bak so you can easily sudo cp it back if you need to.
$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.`date +%Y-%m-%d`.bak

When editing config files it’s always a good idea to comment out the original values, and then add a date. You could also add your initials if you think someone else might come along and change it. There’s also the advantage of telling your future self what it was, and why you changed it. It’s always better than coming along and asking yourself WTF was I thinking?! Some server admins even go as far as to using a version control system.

# Original value:
# VALUE = 0
#########
# Changed: 2012-08-27 ERM
# Notes on why you changed it. So someone else doesn't come
# along and undo your changes.
# ADD SOME CAPS IF YOU'RE REALLY SERIOUS ABOUT IT.
#########
VALUE = 1

$ sudo nano /etc/ssh/sshd_config

Make sure this line is present and doesn’t have a # in front of it.
Subsystem sftp /usr/lib/openssh/sftp-server
*save*

Restart ssh so the changes take affect:
$ sudo /etc/init.d/ssh restart
OR
$ sudo service ssh restart

If you don’t know what your username is you can execute:
$ echo $USER

By default ssh is on port 22. Test the connection (this will ask you to enter your password.):
$ ssh <username>@localhost

If this works you will have a connection to your local host via ssh.

To test if you are in-fact logged in via ssh you can execute the following:
$ echo $SSH_CLIENT

The output will look something like this:
127.0.0.1 33493 22
That means your connected from 127.0.0.1 (localhost).

Quick Tip: You can press ctrl+d on an empty command line to quickly logout. This is the equivalent of typing:
$ exit

You may not need denyhosts if you’re using ssh to connect from within your lan. However if you are opening up port 22 and forwarding it to a computer inside your lan you most definitely should. In fact if you don’t install denyhosts or fail2ban you’re pretty much doing the equivalent of putting a sign outside your house/apartment that says “I’ll buy anything”.

Install denyhosts.
$ sudo apt-get install denyhosts

It’s very important to note that denyhosts is a double edged sword. Too many failed login attempts and you lock yourself out. The good news is this also keeps pesky bots/crackers from entering the wrong username/password too many times. Which will save you bandwidth. Your desired configuration may vary, but I’ll go over my configuration. The configuration for denyhosts is located in /etc/denyhosts.conf read it. There are a lot of options, and I’m not going to go into them here. It’s your job to make sure your system is secure.

Backup denyhosts.conf like we did before with sshd_config
$ sudo cp /etc/denyhosts.conf /etc/denyhosts.conf.`date +%Y-%m-%d`.bak

To edit the config file you can use vi, vim, nano, emacs or my favourite gedit. For the sake of ease of use I’ll use nano.
$ sudo nano /etc/denyhosts.conf

If you get a message stating <editor> isn’t installed you can install it with:
$ sudo apt-get install <editor>

I don’t like people trying to crack into my server. I think if they are willing to try and hack my ssh port with a dictionary attack, then they are going to do the same to try other attacks as well. So no http, no imap. Nothing. I’m not going to talk to that client any more. You might not be willing to take the risk, but I say it’s too much of a risk not to completely block them.
BLOCK_SERVICE = ALL

I have a pretty complex password, and I think 5 times is enough to get it right.
DENY_THRESHOLD_INVALID = 5

NEVER log into your root account via ssh. Login as yourself, then run $ sudo su - to become root. For the most part I don’t do that unless I know I’m going to need it usually I run $ sudo <command> So if someone tries to log in as root. Instaband for even 1 failed attempt.
DENY_THRESHOLD_RESTRICTED = 1

Now this next setting I decided to compromise a little convenience for security. So if I get a successful login it resets the bad login count.
RESET_ON_SUCCESS = yes

As I stated before you should read over the config file. One nice thing about denyhosts is the creator added a community driven db. So any time you deny a host you can opt-in to send the ip address to the denyhosts community and share that info. You can also get the list of ips of recent attackers on other machince. This of course can come at a price, and people could report your ip then you’ll get locked out of your own system. I haven’t had a problem so I have those options enabled.

Now that you’re done you need to restart the denyhosts to load the new settings.
$ sudo /etc/init.d/denyhosts restart
or
$ sudo service denyhosts restart

Both of those commands do exactly the same thing, the difference is I like using $ sudo /etc/init.d/denyhosts restart and I get a lot of warnings … “you no should do” … “you use service!” So in the spirit of doing things the “right” way I figured I better mention the service command in hopes that it future proofs this tutorial.

Now that we have denyhosts setup you need to log into your router and forward all port 22 traffic to the machine you just installed ssh on. The easiest way to learn how to do that is go to google type in the make & model of your router and the keywords “port forward”. Due to the diversity of routers in the world I’m not going to cover that here. As stated before, if you’re using ssh to connect to 2 machines inside the lan you can skip installing denyhosts and forwarding your ip.

Before we continue I should probably tell you about ip addresses. The machine you’re currently on is always 127.0.0.1. This is called “localhost”. Lan ip ranges are as follows:

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

I have never once ran into a router that used any ip ranges that didn’t start with 192.168. Bottom line remember 192.168 it’s lan.

The next step is to determine your ip address. To determine what your ip address is to the rest of the world visit ipchicken.com or whatismyip.com

To determine what your ip address is on the lan you can use the command ifconfig. To only display important lines I’ve added a grep. You should run ifconfig without the grep. $ ifconfig to get all your interfaces.

$ ifconfig | grep 'eth\|wlan\|inet addr\:\|lo'
eth0 Link encap:Ethernet HWaddr 00:23:8b:8b:7c:7b
inet addr:69.145.29.50 Bcast:69.145.29.51 Mask:255.255.255.252
eth1 Link encap:Ethernet HWaddr 68:7f:74:2b:60:29
inet addr:10.1.3.1 Bcast:10.1.3.255 Mask:255.255.255.0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
wlan0 Link encap:Ethernet HWaddr 00:24:2b:bf:fc:5a

This ifconfig comes from my netbook. I have 4 different ethernet “nics” on/in it. One is built in eth0 and the other one is a usb dongle eth1. lo is a loopback for localhost, and wlan0 is my wireless card. My wireless card is disabled so it doesn’t show an ip. I use my netbook as a router/server of sorts. So I can run $ sudo iftop -i eth0 and $ sudo iftop -i eth1 and a transparent proxy with dansguardian.

Just looking at the ip addresses I can tell which is local, lan or net. 69.145.29.50 is what the rest of the world accesses my netbook, and it uses the interface eth0.

10.1.3.1 is my eth1’s ip. This is the ip I use to connect from inside the lan. In your case it’s most likely prefixed with 192.168.
ssh <username>@<localip>

69.145.29.50 is my eth-‘s ip. This is the ip I use to connect from outside the lan. If you don’t have a static ip address it can change at any time. So you’ll need to setup up dynamic dns or visit whatismyip.com/ipchicken.com to discover what your outside ip is. You could pay your isp for a static ip. Keep in mind setting up a dynamic dns may be in violation of your ISP’s TOS.
ssh <username>@<remoteip>

Troubleshooting:

The first thing you should do is open a terminal window/tab and run this:
$ sudo tail -f /var/log/syslog
This will show you any login attempts, and any other errors.

The next thing you should do is open up another tab/terminal and restart your ssh server.
$ sudo service ssh restart
You should see it restart in the other window that you issued the tail -f command in.

Check that the ethernet cord is connected. No seriously get up, and make sure that ethernet cord is connected. No I know you have it connected, but seriously check it. You didn’t check it did you. Get up check it. Then restart your server.

Check ifconfig. Is the ip you’re trying to connect to listed? If not you need to restart your network $ sudo service networking restart or click “Auto Ethernet” from your trusty network applet. Then restart the server.

Check /etc/hosts.deny is the ip you’re trying to connect from listed? If it’s listed you entered the wrong password too many times. Here are instructions on how to remove them.
$ sudo grep <clientip> /etc/hosts.deny

Another issue I’ve ran into in the past is I have both a wireless and a wired connection. This causes havoc with the routing. Choose one or the other. Usually I have wireless off. Wired is so much more reliable. I only enable wireless on devices that need it like a tablet, or a phone. This will help keep wifi congestion down to a minimum. To make sure ssh is listening on both interfaces you can:
$ sudo nano /etc/ssh/ssh_config
Add/Edit:
Host *
*save*
Then restart your ssh server.
$ sudo service ssh restart
Even with that enabled there is no guarantee you’ll be able to connect to the ssh server on both your wired & wireless ips.

Leave a Reply

You must be logged in to post a comment.