Throughout this document I will have <keywords> encapsulated in brackets. Substitute what the keyword is for the appropriate value. For instance <username>@localhost would become erm@localhost, or whatever your username is.<\/p>\n
Cliffnotes version commands:<\/p>\n
Install open ssh: Backup ssh config: Edit \/etc\/ssh\/sshd_config: Enable sftp: Restart ssh: Test your server: Test your connection: Log out of ssh: Install denyhosts: Backup denyhosts config: Edit denyhosts config: Edit lines: Restart denyhosts: Get your remote ip: Get your lan\/local ip: Login via remote computer from inside lan: Login via remote computer from outside lan: <\/p>\n Here’s the long drawn out version:<\/p>\n Install openssh. All system wide ssh related files are located in Before you start editing your sshd_config file it’s always a good idea to backup. This will create a backup of your current config file. The end result will look like \/etc\/ssh\/sshd_config.YYYY-MM-DD.bak so you can easily sudo cp it back if you need to. When editing config files it’s always a good idea to comment out the original values, and then add a date. You could also add your initials if you think someone else might come along and change it. There’s also the advantage of telling your future self what it was, and why you changed it. It’s always better than coming along and asking yourself WTF was I thinking?! Some server admins even go as far as to using a version control system. Make sure this line is present and doesn’t have a # in front of it. Restart ssh so the changes take affect: If you don’t know what your username is you can execute: By default ssh is on port 22. Test the connection (this will ask you to enter your password.): If this works you will have a connection to your local host via ssh.<\/p>\n To test if you are in-fact logged in via ssh you can execute the following: The output will look something like this: Quick Tip: You can press ctrl+d on an empty command line to quickly logout. This is the equivalent of typing: You may not need denyhosts if you’re using ssh to connect from within your lan.<\/strong> However if you are opening up port 22 and forwarding it to a computer inside your lan you most definitely should. In fact if you don’t install denyhosts or fail2ban you’re pretty much doing the equivalent of putting a sign outside your house\/apartment that says “I’ll buy anything”.<\/p>\n Install denyhosts. It’s very important to note that denyhosts is a double edged sword. Too many failed login attempts and you lock yourself out.<\/strong> The good news is this also keeps pesky bots\/crackers from entering the wrong username\/password too many times. Which will save you bandwidth. Your desired configuration may vary, but I’ll go over my configuration. The configuration for denyhosts is located in Backup denyhosts.conf like we did before with sshd_config To edit the config file you can use vi, vim, nano, emacs or my favourite gedit. For the sake of ease of use I’ll use nano. If you get a message stating <editor> isn’t installed you can install it with: I don’t like people trying to crack into my server. I think if they are willing to try and hack my ssh port with a dictionary attack, then they are going to do the same to try other attacks as well. So no http, no imap. Nothing. I’m not going to talk to that client any more. You might not be willing to take the risk, but I say it’s too much of a risk not to completely block them. I have a pretty complex password, and I think 5 times is enough to get it right. NEVER<\/strong> log into your root account via ssh. Login as yourself, then run Now this next setting I decided to compromise a little convenience for security. So if I get a successful login it resets the bad login count. As I stated before you should read over the config file. One nice thing about denyhosts is the creator added a community driven db. So any time you deny a host you can opt-in to send the ip address to the denyhosts community and share that info. You can also get the list of ips of recent attackers on other machince. This of course can come at a price, and people could report your ip then you’ll get locked out of your own system. I haven’t had a problem so I have those options enabled.<\/p>\n Now that you’re done you need to restart the denyhosts to load the new settings. Both of those commands do exactly the same thing, the difference is I like using Now that we have denyhosts setup you need to log into your router and forward all port 22 traffic to the machine you just installed ssh on. The easiest way to learn how to do that is go to google type in the make & model of your router and the keywords “port forward”. Due to the diversity of routers in the world I’m not going to cover that here. As stated before, if you’re using ssh to connect to 2 machines inside the lan you can skip installing denyhosts and forwarding your ip.<\/p>\n Before we continue I should probably tell you about ip addresses. The machine you’re currently on is always 127.0.0.1. This is called “localhost”. Lan ip ranges are as follows: I have never once ran into a router that used any ip ranges that didn’t start with The next step is to determine your ip address. To determine what your ip address is to the rest of the world visit ipchicken.com<\/a> or whatismyip.com<\/a><\/p>\n To determine what your ip address is on the lan you can use the command ifconfig<\/strong>. To only display important lines I’ve added a grep. You should run ifconfig without the grep. This ifconfig comes from my netbook. I have 4 different ethernet “nics” on\/in it. One is built in eth0 and the other one is a usb dongle eth1. lo is a loopback for localhost, and wlan0 is my wireless card. My wireless card is disabled so it doesn’t show an ip. I use my netbook as a router\/server of sorts. So I can run Just looking at the ip addresses I can tell which is local, lan or net. 69.145.29.50<\/strong> is what the rest of the world accesses my netbook, and it uses the interface eth0<\/strong>.<\/p>\n 10.1.3.1<\/strong> is my eth1’s ip. This is the ip I use to connect from inside the lan. In your case it’s most likely prefixed with 192.168. 69.145.29.50<\/strong> is my eth-‘s ip. This is the ip I use to connect from outside the lan. If you don’t have a static ip address it can change at any time. So you’ll need to setup up dynamic dns or visit whatismyip.com\/<\/a>ipchicken.com<\/a> to discover what your outside ip is. You could pay your isp for a static ip. Keep in mind setting up a dynamic dns may be in violation of your ISP’s TOS. The first thing you should do is open a terminal window\/tab and run this: The next thing you should do is open up another tab\/terminal and restart your ssh server. Check that the ethernet cord is connected. No seriously get up, and make sure that ethernet cord is connected. No I know you have it connected, but seriously check it. You didn’t check it did you. Get up check it. Then restart your server.<\/p>\n Check ifconfig. Is the ip you’re trying to connect to listed? If not you need to restart your network
\n$ sudo apt-get install openssh-server<\/code><\/p>\n
\n$ sudo cp \/etc\/ssh\/sshd_config \/etc\/ssh\/sshd_config.`date +%Y-%m-%d`.bak <\/code><\/p>\n
\n $ sudo nano \/etc\/ssh\/sshd_config<\/code><\/p>\n
\nSubsystem sftp \/usr\/lib\/openssh\/sftp-server<\/code>
\n*save*<\/p>\n
\n$ sudo \/etc\/init.d\/ssh restart<\/code>
\nOR<\/b>
\n$ sudo service ssh restart<\/code><\/p>\n
\n$ ssh <username>@localhost<\/code><\/p>\n
\n$ echo $SSH_CLIENT<\/code><\/p>\n
\n$ <ctrl+d> <\/code>
\nOR<\/strong>
\n$ exit <\/code><\/p>\n
\n$ sudo apt-get install denyhosts <\/code><\/p>\n
\n$ sudo cp \/etc\/denyhosts.conf \/etc\/denyhosts.conf.`date +%Y-%m-%d`.bak <\/code><\/p>\n
\n$ sudo nano \/etc\/denyhosts.conf <\/code><\/p>\n
\nBLOCK_SERVICE = ALL<\/code>
\nDENY_THRESHOLD_INVALID = 5<\/code>
\nDENY_THRESHOLD_RESTRICTED = 1<\/code>
\nRESET_ON_SUCCESS = yes<\/code>
\n*save*<\/p>\n
\n$ sudo \/etc\/init.d\/denyhosts restart<\/code>
\nOR<\/strong>
\n$ sudo service denyhosts restart<\/code><\/p>\n
\nVisit: ipchicken.com<\/a> or whatismyip.com<\/a><\/p>\n
\n$ ifconfig<\/code><\/p>\n
\n$ ssh <username>@<localip><\/code><\/p>\n
\n$ ssh <username>@<remoteip><\/code><\/p>\n
\n
\n$ sudo apt-get install openssh-server<\/code><\/p>\n\/etc\/ssh\/<\/code>.<\/p>\n
\n$ sudo cp \/etc\/ssh\/sshd_config \/etc\/ssh\/sshd_config.`date +%Y-%m-%d`.bak <\/code><\/p>\n
\n
\n# Original value:
\n# VALUE = 0
\n#########
\n# Changed: 2012-08-27 ERM
\n# Notes on why you changed it. So someone else doesn't come
\n# along and undo your changes.
\n# ADD SOME CAPS IF YOU'RE REALLY SERIOUS ABOUT IT.
\n#########
\nVALUE = 1
\n<\/code>
\n$ sudo nano \/etc\/ssh\/sshd_config<\/code><\/p>\n
\nSubsystem sftp \/usr\/lib\/openssh\/sftp-server<\/code>
\n*save*<\/p>\n
\n$ sudo \/etc\/init.d\/ssh restart<\/code>
\nOR<\/b>
\n$ sudo service ssh restart<\/code><\/p>\n
\n$ echo $USER<\/code><\/p>\n
\n$ ssh <username>@localhost<\/code><\/p>\n
\n$ echo $SSH_CLIENT<\/code><\/p>\n
\n127.0.0.1 33493 22<\/code>
\nThat means your connected from 127.0.0.1 (localhost).<\/p>\n
\n$ exit<\/code><\/p>\n
\n$ sudo apt-get install denyhosts<\/code><\/p>\n\/etc\/denyhosts.conf<\/code> read it.<\/strong> There are a lot of options, and I’m not going to go into them here. It’s your job to make sure your system is secure.<\/p>\n
\n$ sudo cp \/etc\/denyhosts.conf \/etc\/denyhosts.conf.`date +%Y-%m-%d`.bak<\/code><\/p>\n
\n$ sudo nano \/etc\/denyhosts.conf <\/code><\/p>\n
\n$ sudo apt-get install <editor><\/code><\/p>\n
\nBLOCK_SERVICE = ALL<\/code><\/p>\n
\nDENY_THRESHOLD_INVALID = 5<\/code><\/p>\n$ sudo su -<\/code> to become root. For the most part I don’t do that unless I know I’m going to need it usually I run $ sudo <command><\/code> So if someone tries to log in as root. Instaband for even 1 failed attempt.
\nDENY_THRESHOLD_RESTRICTED = 1<\/code><\/p>\n
\nRESET_ON_SUCCESS = yes<\/code><\/p>\n
\n$ sudo \/etc\/init.d\/denyhosts restart<\/code>
\nor<\/strong>
\n$ sudo service denyhosts restart<\/code><\/p>\n$ sudo \/etc\/init.d\/denyhosts restart<\/code> and I get a lot of warnings … “you no should do” … “you use service!” So in the spirit of doing things the “right” way I figured I better mention the service<\/code> command in hopes that it future proofs this tutorial.<\/p>\n
\n
\n10.0.0.0 - 10.255.255.255
\n172.16.0.0 - 172.31.255.255
\n192.168.0.0 - 192.168.255.255
\n<\/code><\/p>\n192.168<\/code>. Bottom line remember 192.168<\/code> it’s lan.<\/p>\n$ ifconfig<\/code> to get all your interfaces.
\n
\n$ ifconfig | grep 'eth\\|wlan\\|inet addr\\:\\|lo'
\neth0<\/strong> Link encap:Ethernet HWaddr 00:23:8b:8b:7c:7b
\ninet addr:69.145.29.50<\/strong> Bcast:69.145.29.51 Mask:255.255.255.252
\neth1<\/strong> Link encap:Ethernet HWaddr 68:7f:74:2b:60:29
\ninet addr:10.1.3.1<\/strong> Bcast:10.1.3.255 Mask:255.255.255.0
\nlo<\/strong> Link encap:Local Loopback
\ninet addr:127.0.0.1<\/strong> Mask:255.0.0.0
\nwlan0<\/strong> Link encap:Ethernet HWaddr 00:24:2b:bf:fc:5a
\n<\/code><\/p>\n$ sudo iftop -i eth0<\/code> and $ sudo iftop -i eth1<\/code> and a transparent proxy with dansguardian.<\/p>\n
\nssh <username>@<localip><\/code><\/p>\n
\nssh <username>@<remoteip><\/code><\/p>\nTroubleshooting:<\/h2>\n
\n$ sudo tail -f \/var\/log\/syslog<\/code>
\nThis will show you any login attempts, and any other errors.<\/p>\n
\n$ sudo service ssh restart<\/code>
\nYou should see it restart in the other window that you issued the tail -f command in.<\/p>\n$ sudo service networking restart <\/code> or click “Auto Ethernet” from your trusty network applet. Then restart the server.<\/p>\n