A more up to date version is available here.
This document is licensed under the Creative Commons Attribution-Share Alike 3.0 license, Unported. You can find the details of this license at http://creativecommons.org/licenses/by-sa/3.0/. Basically, you can copy, redistribute, and modify as long as the resulting work remains licenses under the same license. This a rough summery of the license and can not be legally used. If any conflicts are found between this description and the official license. The official license (the URL above) is considered correct.
Have you ever wanted to access your box over a secured network connection? Do have a normal DSL/Modem connection (Your IP changes each time you reconnect or when ever your ISP feels like it) but want to access it from anywhere without checking what IP address? Do you want to access your PC but you workplace has a firewall that doesn’t allow anything except browsing? Well, your in luck, because this guide shows you how to do just that!
This guide assumes that you have Ubuntu up and running. If you have Debian, you may be able to follow this guide. But if you have other distributions such as SUSE or Fedora, you will need to improvise.
I am using Ubuntu for this guide because most beginner tend to use it. for other distoros, you might need to take a few additional steps to get ssh working in the way you want it such as opening ports/excepting connections and so on. personally i use Archlinux, for other arch users, i recommend this.
Setting up SSH
The software that is used to remotely access your computer is called OpenSSH (open secure shell). but throughout this guide, it will be referred to simply as SSH. To access your PC remotely, you need two programs: A client, which is the software that is used to connect to the server. Ubuntu has a ssh client installed by default. And a server, which runs on the computer you connect to (herein referred to as sshd or ssh daemon). You will need to install this if you want access your PC remotely via ssh.
To install the server software (sshd) on Ubuntu:
sudo apt-get install openssh-server
Type in your password and apt-get will start to download the software and will install it automatically once it has finished.
To test the ssh server, type this at the terminal:
You should get a login prompt indicating that sshd is up and running correctly. If that succeeds, you can go on and try to login from another computer on the same network (nothing that goes through a router/firewall). To login to the server from a deferent computer, type the following:
ssh ?.?.?.? -l username
where ?.?.?.? is the IP address of the computer you are trying to login to. And username is the name of the user you want to use to login with.
Congratulations, you can now control your server from anywhere, as long as you’re connected to the same network the PC is in, or the server is directly connected to the internet (no router, proxy server, or any other network device to hide behind).
Configuring your Router to accept and redirect connections
Unless you plan to use ssh only in your local network, you will need to configure your router to accept connections made to the port the ssh server (sshd) listens to. This port is usually 22. but as you will see later, this port can be changed to any other port to improve security and availability. Since there are countless router manufacturers, it would be imposable to cover each and everyone. And as a result, configuring your router will be left to you. The keywords you will need to search for is port forwarding. Linksys misleadingly calls it “Applications & Gaming”. Just connect to your router by typing its address in your browser. This might be 192.168.1.1 or 192.168.0.1. but it needn’t be one of the two. Just mess around until you find it (assuming that your router supports port forwarding). WARNING: CHANGING ROUTER SETTINGS MIGHT PREVENT YOU FROM ACCESSING THE INTERNET, OR MIGHT PREVENT YOU FROM ACCESSING YOUR ROUTER. PRECEDE WITH CAUSION!
Finding a good Dynamic DNS service
To access your PC from a remote location, you will need to know its address or at least your routers address. This wouldn’t be a problem if you had a static IP. but seeing that most ISPs don’t assign static IPs, you will need to take special measures to insure that you can access your server where you are even if your IP changes. The easiest way to do that is to use a free dynamic domain name service (DNS). There are countless servers available. I have experience with only one service, but that doesn’t mean it’s the best and any DNS service will do. And if you have a domain name (such as example.com) you can also use it but you will need to find a way to update it.
I currently use FreeDNS and have been using it for about 3 months. It provides a good reliable service and has never failed (at least not yet). The downside is that it doesn’t provide official software to automate the process of checking your IP and updating the DNS if required.
Another service that comes highly recommended is www.no-ip.com. This service looks good enough but have never tried it. I would recommend this for beginners. I am considering using it myself if and when FreeDNS fails.
To login using a domain name, simply subtitute the domain name with the IP address. The following should clear things out:
ssh DomainName -l username
where DomainName points to the server you want to connect to.
Modifying SSH to get past any Firewall that allows browsing
SSH uses port 22, this wouldn’t be a problem if you were trying to connect from a private network. But most companies and other institutions have restrictive firewalls that reject connections unless these connections are used to preview web pages. In other words, it only allows HTTP (80) and HTTPS 2(443) are allowed. To get around this problem, set the ssh server to listen to ether port one of the two ports. You should be able to fool the firewall into allowing an ssl connection. I recommend using port 443 since SSH uses the same protocol as SSL (HTTPS).
To do this you will need to modify the sshd configuration file. Also, you will need to type in a few more characters each time you want to connect to the server. To set the ssh server to listen to port 443 (or 80), open the sshd config file located at “/etc/ssh/sshd_config”. Search for the line with the following line:
Add # before the line, and add a new line after it so that the result would look something similar to this:
#Port 22 Port 443
Of course, you can replace 443 with the number of the port you want to use. After changing this, the command you use to login is as follows:
ssh DomainNameOrIP -l username -p Port
Again, make sure to change Port to match what you chose previously. Use 443 if you’ve decided to set it with 443.
Note: if you are running a web server, port 80 is out of the question. Also, if your web server is set to except SSL connections, port 443 is off the table as well.
X Forwarding Through SSH
SSH has a nice feater called X Forwarding. This allows you to run GUI applications on a remote computer and interact with them just as if they were running on your own pct. Although with Ubuntu, you might have some problems with it at first. But once everything has been set up properly, you’ll be glad it’s there.
To enable X forwarding, simply add the two options XC (case sensitive) as shown bellow:
ssh DomainNameOrIP -l username -p Port -XC
Note that C was added to for better network performance. You might run into problems when trying to use X forwarding, namely the authentication file issue. After searching the web, I have found that the best way to solve it is to delete the file and then reconnect. Ether that or you need to login under root. To test it out, type xclock. A small analog clock should appear.
ssh was written to allow people to remotely access computers. Naturally, you don’t want the bad guys to gain access to your computer. Although, ssh comes with some security settings by default, it can still be cracked. To improve security there are several things you can do, this guide will list some of them.
Changing the default port:
The first thing that crackers will probably do is preform a port scan and determine what services your server provides. Note that most of these attacks will be automated (as in scripts). Leaving the the default port unchanged will make it very easy for anyone to find out if your server offers ssh or not. To prevent this unnecessary headache, simply change the port sshd listens to (remember, sshd runs on the server side). You may use a technique called port knocking, but I have no experience with it since I never really needed to use it. To change the port sshd listens to: open “/etc/ssh/sshd_config” and search for the line
Change the port to whatever you like as long as the port your switching to isn’t in use. I suggest using port 80 if you aren’t using the computer as web page server, or use 443 if the computer isn’t set up to accept SSL connections.
This option specifies how many chances you get to enter your password before the connection is dropped. This might be useful to slowdown brute force attacks, but if you detect successive login failures. I would strongly recommend using an alternate authentication method such as keys.
change this to no to prevent anyone who wants to login to your pc under root.
keys can be used to login without typing a letter. With this type of authentication, you can disable interactive login dialogs and therefore destroying any hopes of brute-forcing into your ssh server. I have to admit though, I have yet to use this method. This is primarily because I haven’t seen a single attack so far. But I will probably switch to this type of authentication soon.
Monitoring your server
From time to time, you will need to check on the authentication log to make sure no one is trying to break into your server. To do that, type the following at the server’s terminal:
less /var/log/auth.log | grep ssh | less
This line should display each and every authentication process that has been initiated by sshd. If you see a large number of login failures form unknown address, your server might be under attack. Try changing ports or using ether port knocking or – better yet – keys.
Moving files between server and client
personally I use scp to securely copy my files over the net. scp works in the same way cp does but does so over a secure connection between two separate computers. The syntax of the command is a s follows:
scp -P pornumber source destination
Where: pornumber is the number of the port sshd is listining to (default is 22) source replace this with the path of the file you want to copy. Add ?.?.?.?: in front of the path if the file is on the server side (where ?.?.?.? is the IP Address of the server). And don’t forget the :. destination replace this with the destination of the file(s) you want to copy. It can also have an IP address if you want to copy files to the server.
This guide was intended to glue all the information you might find useful and practical in one place. However, It is not by far the most complete. If you find that one of the sections is not clear enough or just want to learn more, search the net. Or if you want more information on the commands used in this guide, type man followed by the name of the command at the terminal.
4 thoughts on “SSH/openSSH Guide”
Thank you very much for sharing, and for the “easy to follow” instructions.
I really do like those kind of posts.
If u could write longer then this……..pleae do….I mean only this post have taken half the page…..so if u could make it longer it would be nice (all the page not only the half of it )
phunny.. i’ll try harder next time 🙂