The first service that I wanted running on my server (Ubuntu 10.04) is ssh. It makes administration much easier and allows me to run the server headless and administrate it securely from my Windows 7 machine.
SERVER-SIDE
First you will need to install the openssh server:
sudo apt-get install openssh-server
Then you’ll want to stop the service while you configure it:
sudo /etc/init.d/ssh stop
The ssh server configuration is contained in ‘/etc/ssh/sshd_config’. I’m going to first make a copy of the file in my home directory as a backup and then edit the file using nano (use gedit, vi or whatever floats you boat):
sudo cp /etc/ssh/sshd_config ~
sudo nano /etc/ssh/sshd_config
There are a few things that I change immediately.
1. The port number that ssh listens on (default is port 22):
port 2222
Note: the port-change may not take effect until you have rebooted your system
2. Disable root logins. Once logged in I can execute using super-user priviledges by entering the root password, but there is no point just letting anyone who manages to gain access to the system have root priviledges:
PermitRootLogin no
3. Add myself as a user permitted to connect:
AllowUsers luis
Note: the AllowUsers value wasn’t in the default config file and so I just added it on the end.
As a matter of personal preference I also reduced the login grace-time:
LoginGraceTime 30
Now I generate public/private keypairs on the server:
ssh-keygen
choosing to accept the default values provided to generate RSA keys in a hidden folder of my home directory named ./ssh
This key generation process will also create the authorized keys file.
CLIENT-SIDE
I use PuTTy on Windows 7 Ultimate (64-bit). Most guides on ssh setup under Ubuntu etc assume that one is running Ubuntu or some Linux variant on the client-side and so assumes certain commands for creation of a private key on the client and sending of that key to the server. However, this won’t work using PuTTy and so we need to download ‘PuTTy gen’ from the PuTTy website:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Run the program and click the ‘generate’ button. It will ask you to move your mouse around to provide sufficiently random data with which to generate the key. Then just choose to ‘save private key’. I chose to generate keys without passwords since I want the convenience of not having to login manually when I want to connect.
Note: this can be insecure if you don’t set your system up correctly.
Do NOT close the program yet.
You should already be able to ssh into the server using PuTTy and standard login. So we’ll ssh to the server and execute in a terminal:
cd ~/.ssh
nano authorized_keys
On the client-side I switch back to the still-open PUTTygen window and copy the public key from the top part of that window and paste it into the terminal in which we are editing the authorized_keys file. Then I save the file in the terminal and exit to a prompt.
To get PuTTy to use you private key when connecting to your host you’ll need to open PuTTy and choose the ‘ssh’ menu from the left-hand pane, expand the menu by clicking the ‘+’ and choosing ‘Auth’ from the sub-menu that appears. In there you should find a field titled: ‘Private key file for authentication’: click the browse button next to it and browse to the place you saved your key pair and choose to load up the private key.
Now navigate to the ‘Connection’ menu in the left-side pane and choose the ‘Data’ sub-menu. In the ‘Auto-login username’ field enter the username that you wish to login to the server with.
Next, head to the session page by choosing ‘Session’ from the left-side pane. Here, enter the IP address or hostname of the server you want to connect to and the port number (don’t forget to enter the correct port number here if you changed it in the sshd_config file on the server).
Finally, enter a profile name in the ‘Saved Sessions field’ and choose ‘save’; you can now click ‘open’ to connect.
That concludes the configuration of ssh on both client and server-side.
To tighten up security I then add a rule to ufw (Uncomplicated FireWall) on the server which allows TCP connections to the ssh port I’ve selected (port 2222) that originate only from my Windows machine (I use static IP addresses on machines on this network):
sudo ufw allow proto tcp from 192.168.1.66 to any port 2222
NOTE: I have my DHCP server set to issue static IP addresses to only certain MAC addresses.
Now I enable the firewall with:
sudo ufw enable
The final thing left to do is to have something in place to prevent brute-force attacks in case all else-fails. To that end I decided to install DenyHosts (available from the default repositories):
sudo apt-get install denyhosts
This script is written in Python and so you’ll need Python v2.3 or later (as of 02/05/2010). Ubuntu 10.04 has version Python installed by default. To check if you have it installed execute the following from a terminal:
dpkg –list grep python2
to get your version number run:
python -V
if you don’t have it then run:
sudo apt-get install python2.6
Now we install DenyHosts:
sudo apt-get install denyhosts
If you can manage it then reboot for good measure and it’s all ready to go:
sudo shutdown -r now