When setting up a Linux system, security is supposed to be an important part of all the stages. A good knowledge of the fundamentals of Linux is essential to implement a good security policy on the machine.

In this article by Tajinder Pal Singh Kalsi, author of the book, Practical Linux Security Cookbook, we will discuss the following topics:

• Remote server / Host access using SSH
• SSH root login disable or enable
• Key based Login into SSH for restricting remote access

(For more resources related to this topic, see here.)

Remote server / host access using SSH

SSH or Secure Shell is a protocol which is used to log onto remote systems securely and is the most used method for accessing remote Linux systems.

Getting ready

To see how to use SSH, we need two Ubuntu systems. One will be used as server and the other as client.

How to do it…

To use SSH we can use freely available software called—OpenSSH. Once the software is installed it can be used by the command ssh, on the Linux system. We will see how to use this tool in detail.

1. If the software to use SSH is not already installed we have to install it on both the server and the client system.
2. The command to install the tool on the server system is:

   sudo apt-get install openssh-server

   • The output obtained will be as follows:

     

3. Next we need to install the client version of the software:

   sudo apt-get install openssh-client

   • The output obtained will be as follows:

   

4. For latest versions ssh service starts running as soon as the software is installed. If it is not running by default, we can start the service by using the command:

   sudo service ssh start

   • The output obtained will be as follows:

   

5. Now if we want to login from the client system to the server system, the command will be as follows:

   ssh remote_ip_address

   Here remote_ip_address refers to the IP address of the server system. Also this command assumes that the username on the client machine is the same as that on the server machine:

   

   ssh remote_ip_address

   If we want to login for different user, the command will be as follows:

   ssh username@remote_ip_address

   • The output obtained will be as follows:

   

6. Next we need to configure SSH to use it as per our requirements. The main configuration file for sshd in Ubuntu is located at /etc/ssh/sshd_config. Before making any changes to the original version of this file, create a backup using the command:

   sudo cp /etc/ssh/sshd_config{,.bak}

   • The configuration file defines the default settings for SSH on the server system.
7. When we open the file in any editor, we can see that the default port declaration on which the sshd server listens for the incoming connections is 22. We can change this to any non-standard port to secure the server from random port scans, hence making it more secure. Suppose we change the port to 888, then next time the client wants to connect to the SSH server, the command will be as follows:

   ssh -p port_numberremote_ip_address

   • The output obtained will be as follows:

   

As we can see when we run the command without specifying the port number, the connection is refused. Next when we mention the correct port number, the connection is established.

How it works…

SSH is used to connect a client program to a SSH server. On one system we install the openssh-server package to make it the SSH server and on the other system we install the openssh-client package to use it as client.

Now keeping the SSH service running on the server system, we try to connect to it through the client.

We use the configuration file of SSH to change the settings like default port for connecting.

SSH root login disable or enable

The Linux systems have root account by default which is enabled by default. If unauthorized users get ssh root access on the system, it is not a good idea because this will give an attacker access to the complete system.

We can disable or enable the root login for ssh as per requirement to prevent the chances of an attacker getting access to the system.

Getting Ready

We need 2 Linux systems to be used as server and client. On the server system, install the package openssh-server, as shown in the preceding recipe.

How to do it…

First we will see how to disable SSH Root login and then we will also see how to enable it again

1. Firstly open the main configuration file of ssh—/etc/ssh/sshd_config, in any editor.

   sudo nano /etc/ssh/sshd_config

2. Now look for the line that reads as follows:

   PermitRootLogin yes

3. Change the value yes to no. Then save and close the file:

   PermitRootLogin no

   • The output obtained will be as follows:

   

4. Once done, restart the SSH daemon service using the command as shown here:

   

5. Now let’s try to login as root. We should get an error – Permission Denied as the root login has been disabled:

   

6. Now whenever we want to login as root, first we will have to login as normal user. And after that we can use the su command and switch to root user. So, the user accounts which are not listed in /etc/sudoers file will not be able to switch to root user and the system will be more secure:

   

7. Now if we want to again enable SSH Root login, we just need to edit /etc/ssh/sshd_config file again and change the option no to yes again:

   PermitRootLogin yes

   • The output obtained will be as follows:

   

8. Then restart the service again by using the command:

   

9. Now if we try to login as root again, it will work:

   

How it works…

When we try to connect to a remote system using SSH, the remote system checks its configuration file at /etc/ssh/sshd_config and according to the details mentioned in this file it decides whether the connection should be allowed or refused.

When we change the value of PermitRootLogin according the working also changes.

There’s more…

Suppose we have many user accounts on the systems, then we need to edit the /etc/ssh/sshd_config file in such a way that remote access is allowed only for few mentioned users.

sudo nano /etc/ssh/sshd_config

Add the line:

AllowUsers tajinder user1

Now restart the ssh service:

sudo service ssh restart

Now when we try to login with user1, the login is successful. However, when we try to login with user2 which is not added in /etc/ssh/sshd_config file, the login fails and we get the error Permission denied, as shown here:

Key based login into SSH for restricting remote access

Even though SSH login is protected by using passwords for the user account, we can make it more secure by using Key based authentication into SSH.

Getting ready

To see how key based authentication works, we would need two Linux system (in our example both our Ubuntu systems). One should have the OpenSSH server package installed on it.

How to do it…

To use key-based authentication, we need to create a pair of keys—a private key and a public key.

1. On the client or local system, we will execute the following command  to generate the SSH keys pair:

   ssh-keygen-trsa

   • The output obtained will be as follows:

   

2. While creating the key, we can accept the defaults values or change them as per our wish. It will also ask for a passphrase, which you can choose anything or else leave it blank.
3. The key-pair will be created in the location—~./ssh/. Change to this directory and then use the command—ls –l to see the details of the key files:

   

   • We can see that id_rsa file can be read and written only by the owner. This permission ensures that the file is kept secure.
4. Now we need to copy the public key file to the remote SSH server. To do so we run the command:

   ssh-copy-id 192.168.1.101

   • The output obtained will be as follows:

   

5. An SSH session will be started and prompt for entering the password for the user account. Once the correct password has been entered the key will get copied to the remote server.
6. Once the public key has been successfully copied to the remote server, try to login to the server again using the ssh 192.168.1.101 command:

   

   We can see that now we are not prompted for the user account’s password. Since we had configured the passphrase for the SSH key, it has been asked. Otherwise we would have been logged into the system without being asked for the password.

How it works…

When we create the SSH key pair and move the public key to the remote system, it works as an authentication method for connecting to the remote system. If the public key present in the remote system matches the public key generated by the local system and also the local system has the private key to complete the key-pair, the login happens. Otherwise, if any key file is missing, login is not allowed.

Summary

Linux security is a massive subject and everything cannot be covered in just one article. Still, Practical Linux Security Cookbook will give you a lot of recipes for securing your machine. It can be referred to as a practical guide for the administrators and help them configure a more secure machine.

Resources for Article:

---

Further resources on this subject:

• Wireless Attacks in Kali Linux [article]
• Creating a VM using VirtualBox – Ubuntu Linux [article]
• Building tiny Web-applications in Ruby using Sinatra [article]

---