OpenSSH is an application or a suite for network/security related utility based on Secure Shell Protocol(SSH), which helps to secure communications through the network. Secured communication is achieved through multiple authentication methods.

OpenSSH encrypts all traffic (including passwords) to eliminate connection hijacking and all other network related/level attacks. Network level/traffic authentication is done using public-key encryption methods.

OpenSSH is similar to the default ssh featuring few additional capabilities. OpenSSH was developed by OpenBSD Project and it is an advanced version of the original SSH software by Tatu Ylönen, which is now a proprietary software.

In general – OpenSSH provides a large suite of secured tunnelling, several system and network level authentication methods, and other advanced configuration options. As mentioned earlier OpenSSH uses public-key encryption methods to authenticate its network related traffic.

Installation and Configuration

First Update the Linux repositories using the following command

root@hashroot:/# apt-get update

root@hashroot:/# apt-get upgrade

OpenSSH can be installed on Linux distros using the commands referred below:

Ubuntu : apt-get install openssh-server

CentOS : yum install openssh-server

The above screenshot shown is SSH installation on Ubuntu. Its the same as CentOS except apt-get replaced by yum. Once the application package is installed, you can use the SSH configuration file to modify the default options or configurations.By default, the ssh configuration file is located at /etc/ssh/sshd_config

root@advaita:~# ls /etc/ssh/sshd_config

/etc/ssh/sshd_config

The default port that ssh listen is 22.

You can modify all the basic connection details and other authentication methods using the ssh configuration file named shd_config. Some of the common SSH hardening steps are mentioned below.

Open the SSH main configuration file /etc/ssh/sshd_config using a text editor available in Linux distros. I’m using vi editor. All the required SSH configurations are done via this file.

root@hashroot:/# vi  /etc/ssh/sshd_config

Change default Port

To change the default ssh port you have to find the line that says ‘Port 22’ and change the number of the port. For example, I will change to 4444, so that the final entry will be as shown below:

Port 4444

Maximum Login Attempts

We will configure or set the max login attempts for each user to 3 times. After 3 wrong/unsuccessful login attempts, you will be disconnected automatically. This improves the security of your server as this can be used to prevent brute force attack. To change the maximum login attempts you have to find the line that says ‘MaxAuthTries’ and change the value. For example, I will change to 3, so that the final entry will be as shown below:

MaxAuthTries 3

Allow/Deny Users

This option allows certain users to log in to the server and deny all other users. Here, I’ll add ‘zimbra’ users because my Zimbra Mail Server should have access. To accomplish this add the following line at the end of the main configuration file /etc/ssh/sshd_config.

AllowUsers Zimbra

Similarly, you can add the users that need to be allowed ssh access to the server.

Disable direct root Login

Direct login to a server as the root user is not recommended in Linux systems. So we log in to ssh as a normal user and the switch user to root when required. To switch user to root from a normal user use the su command.

Modify the entries as shown below in the SSH main configuration file /etc/ssh/sshd_config to disable direct root login.

PermitRootLogin no

After the changes are made to the ssh configuration file, restart the sshd daemon to make the changes reflect. Any changes made in the ssh main configuration file /etc/ssh/sshd_config needs to be accompanied by sshd service restart using the following command. Also, make sure to check the status using the service status command as shown below:

root@hashroot:/# service ssh restart

root@hashroot:/# service ssh status

Loggin into SSH

There are many ways we can login to a Linux server using SSH. Either you can use a Graphical application that supports ssh protocol or you can use the SSH command line utility that Linux offers. There are many ssh applications like Putty, that allow a user to ssh a server using Windows Client. I’m explaining the command line utility here.

The command format to connect to SSH is shown below

ssh user@hostname-or-ip -p <Port Number>

For example, if we need to connect to a remote Linux server having IP address “192.168.1.156”, user as “root” and the ssh port is 4444, then use the following command.

ssh hashroot@192.168.1.156 -p 4444

This will prompt a password for the Linux user “hashroot”. Enter the password for the user “hashroot” on server 192.168.1.156 to log in. You can find the screenshot below

Now you have logged into the remote server using SSH. You can get more hardening steps from official OpenSSH website https://www.openssh.com/

If you have any queries on configuring open SSH feel free to leave us a message and our representative will get back to you.