Vicente Muñoz 💻

SSH

Aspera strongly recommends taking additional steps to set up and configure your SSH server to protect against common attacks

SSH


SSH is a protocol used to administer a remote computer from the command line. It is widely used to remotely manage Linux desktops and servers.


Installing OpenSSH SSH Server


The OpenSSH SSH server package is available in the official package repository of Debian 11.


First, update the APT package repository cache of your Debian 11 desktop/server


  sudo apt update


To install the OpenSSH SSH server on Debian 11:


  sudo apt install openssh-server


Checking the SSH Server Status:


  sudo systemctl status ssh


Starting and Stopping the SSH Server


Start:


   sudo systemctl start ssh


Stop:


   sudo systemctl stop ssh


Once SSH is installed and enabled on our server, we can access it from anywhere using the following command:


 ssh user@host -p port


CONFIG DEFAULT SETTING SSH


To configure SSH you must access the sshd_config file located at etc/ssh/sshd_config


  sudo nano /etc/ssh/sshd_config


In this file we will find many configurations, some of them are:


#Port 22: This command sets the port number on which the SSH service will listen for incoming connections. By default, SSH uses port 22 for listening to connections. If you have multiple SSH services on the same machine or want to change the port for security reasons, you can modify this value. For example, Port 2222 would configure the SSH service to listen on port 2222 instead of the default port 22.


#AddressFamily any: This option allows the SSH service to listen on all available IP addresses on the system. This includes both IPv4 and IPv6 addresses. The "any" option is used to enable connections from any type of IP address. If you want to limit the SSH service to listen only on IPv4 or IPv6 addresses, you can use AddressFamily inet for IPv4 or AddressFamily inet6 for IPv6.


#ListenAddress 0.0.0.0: This configuration tells the SSH service which IP address to listen for incoming connections. The value 0.0.0.0 represents all available IP addresses on the machine. In other words, the SSH service will listen on all network interfaces available. This allows connections from any IP address that can reach the server. If you want to restrict the SSH service to listen only on a specific IPv4 address, you can change 0.0.0.0 to the desired IP address, for example, ListenAddress 192.168.1.100.


#ListenAddress ::: Similar to the previous command, but it refers to the configuration for listening to connections on IPv6 addresses. The address :: represents all available IPv6 addresses on the machine. Just like with IPv4, if you want to restrict the SSH service to listen only on a specific IPv6 address, you can change :: to the desired IPv6 address.


#LoginGraceTime 2m: This option configures the login grace time. It means that once a client attempts to connect to the SSH server and provides their credentials, the server waits for a specified grace time before closing the connection if the login is not completed successfully. In this case, the value is "2m," which stands for 2 minutes. During this time, the client has the opportunity to try logging in again without being immediately disconnected.


PermitRootLogin yes: This option determines whether direct login by the "root" user is allowed via SSH. "Root" is the administrative user with all privileges on a Unix/Linux system. Setting this option to "yes" allows the "root" user to log in via SSH, while setting it to "no" would disable this feature. It's essential to note that allowing direct "root" access via SSH is considered a security risk since "root" is a prime target for attackers. The recommended practice is to set "PermitRootLogin no" and use a regular user to log in, then obtain "root" privileges using the "sudo" command when needed.


StrictModes no: This option determines whether the SSH server performs strict checking of directory and file permissions on the system. If set to "no," strict checking is disabled, and SSH will be more permissive regarding file and folder permissions. While this may be useful in certain cases, it is generally better to keep this option as "yes" to ensure higher security.


#MaxAuthTries 6: This command sets the maximum number of allowed attempts to authenticate successfully before the SSH server terminates the connection. The value "6" means that the server will allow up to 6 authentication attempts before disconnecting the client. Limiting the number of attempts helps prevent brute-force attacks where attackers repeatedly attempt to guess passwords or SSH keys.


#MaxSessions 10: This option sets the maximum number of sessions a user can have open simultaneously via SSH. If the value is set to "10," it means a user can have up to 10 SSH sessions open at the same time. Limiting the number of sessions can help control and manage server resource usage.


#PasswordAuthentication yes: This option determines whether users can authenticate using password-based authentication when connecting to the SSH server. If set to "yes," users are allowed to log in by providing their passwords. However, if set to "no," password-based authentication is disabled, and users will have to use other authentication methods, such as public key authentication.


PermitEmptyPasswords to "no" to enforce the use of strong passwords for all users.


It's essential to note that the mentioned commands are preceded by the # character, indicating that they are comments and will not affect the actual configuration of the SSH service. To enable or modify these options, you should remove the # symbol and restart the SSH service for the changes to take effect. Before making changes to the SSH configuration, make sure you know what you are doing, as incorrect configurations could potentially leave the system inaccessible remotely.


To apply the changes to the file we enter the following command


  sudo systemctl restart ssh