Thursday, 30 April 2009

Installing Open SSH on Ubuntu

By default when you install Open SSH you'll be running on port 22 along with some other things that are not considered to be best practice.

If you have taken over an existing SSH server then you'll need to know the version and port its running on.
run the sudo netstat -tulpn will give you a list of running application with internet port they are using and ssh -v will give you the version that is running.

If OpenSSH is running then you should see it when you run the sudo netstat -tulpn you can also check the package is installed by typing dpkg --list | grep openssh-server equally you might want to up date the package this is also easy to do using the sudo apt-get install openssh-server command, if there is a new version available you will be prompted to install it and if the package isn't installed the same command will prompt you to install it.

now lets get to work... first thing is its not a good idea to be running on well known port numbers so you'll need to edit the config file, some people use vi editor for this I like nano better, so if your used to using vi just put vi where you see nano... for those of you are used to using windows vi and nano are text editors much like notepad and edit from dos.

Editing the configuration file.
sudo nano /etc/ssh/sshd_config

With in the first few lines you will see Port 22 this you should change to something else this is no such thing as a good number but try to make sure you don't use a port you'll need for something else later.

Second you and change the IP addresses and interfaces OpenSSH will bind too... if like you have a mult IP network with a subnet just for network management then you'll most likely want it too bind only to the management IP simply remove the # from in front of ListenAddress and replace the 0.0.0.0 with the IP you want to bind too.

If on the other hand you are using one IP for both the management and the public access then I'd recommend changing the Root access to NO this can be found on the line marked # Authentication: change the PermitRootLogin yes to PermitRootLogin no

I've never been happy with the standard 768 bit keys you can change the size and I often do to 2048 just change the list ServerKeyBits 768 to ServerKeyBits 2048

And lastly its best to use a Banner on the system as well reminding people that its against the law to hack or use systems without permission, to do this remove the # from the Banner line and point it too your banner file and example is like this Banner /etc/banner.txt

Now you've made your changes exit and save them, it will most likely be needed for you to restart you OpenSSH before all of the settings will take affect so you might need to use one or more of the following.

To stop ssh server sudo /etc/init.d/ssh stop
To start sshs server sudo /etc/init.d/ssh start
To restart ssh server sudo /etc/init.d/ssh restart

No comments: