Friday, July 1, 2011

SSH Daemon (or Setting up a SSH server)

The SSH Daemon act like a server and listens for and handles any incoming connection. 


To install ssh daemon in Ubuntu:
sudo apt-get install openssh-server


Assuming the OpenSSH client is also installed already,
ssh localhost
to check whether the daemon is working properly.


To start the server
sudo /etc/init.d/ssh start


To stop the server
sudo /etc/init.d/ssh stop


To restart the server
sudo /etc/init.d/ssh restart


To disable ssh in Ubuntu machine
apt-get remove openssh-server



Now lets change some operational parameters.
Don't forget to keep  backup of the original config file /etc/ssh/sshd_config


By default, ssh server listens at port 22. If you may want to change the port address for safety
purpose. For that open /etc/ssh/sshd_config file and look for line Port 22. Change line to Port <desired number>. Restart sshd server.


It is advisable to not allow root login. To do this, in the above file update with PermitRootLogin no


Make sure Protocol 2 line is in the above file since SSH-1 has man-in-the-middle attacks problem and security vulnerabilities. It's best to avoid using the obsolete SSH-1.


Add AllowUsers user1 user2 user3 to the config file to allow only certain users to use ssh to login to the system. Alternatively, if you want to allow every user except some, you need to DenyUsers user1 user2
AllowGroup and DenyGroup can also be used for control at the group level.


To kick user out after certain time interval of idleness add ClientAliveInterval <time in sec> and ClientAliveCountMax <number of messages to be sent without receiving any message in return>
For example
ClientAliveInterval 600
ClientAliveCountMax 0
Server will wait for 600 seconds and will not send any warning message before kicking out the user.

Update config file with IgnoreRhosts yes to prevent login using the insecure RSH

Using host-based authentication, any user on a trusted host can log into another host (with the same username) on which this feature is enabled. To disable host-based authentication update the file with HostbasedAuthentication no

Update config file with PermitEmptyPasswords no to disallow logins with empty passwords.

To limit ssh port binding, add ListenAddress <ip address> to config file.

Please share other helpful infos in the comments so all of us will be able to learn from each other.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)