How to install SSH ( How to access your Linux system over Internet )
.sudo apt-get install openssh-server
To check if OpenSSH is running type this:
This command will list all running processes and then filter the list
to only display processes that include “ssh”. You should see a line
like this:
This means that OpenSSH is running. If you don’t see a line like that, try running this command:
(If two sshd instances are running, it may cause problems. You can usually fix this problem by issuing the command sudo killall sshd followed by sudo /etc/init.d/ssh start.)
Part 2 of this series will discus more configuration options. For
now, most of the default configuration should be fine. The one part that
you should change now is the port. Your computer has a bunch of
different ports (specifically 65535 of them). Each port is like a door
that other computers can knock on. For example, when you visit a
website, the request goes out through port 80 and the website comes back
in through port 80. The first 1024 ports are reserved for specific
protocols. Port 22 happens to be reserved for SSH. It is not advisable,
however, to let your SSH server listen on that port, though, because an
attacker would most likely be scanning for open port 22′s. It is best to
change the port option in your OpenSSH configuration to a port number
greater than 1024 (and less than 65535). This makes it harder for an
attacker to guess which door to knock on. If none of that makes sense,
that’s OK. Just change the number after “Port” to a number between 1500
and 5000. While you might be able to use higher numbers, really high
port numbers will get you in trouble.
Open Firestarter and follow the setup wizard. Then click on the Policy tab. Select “Inbound Traffic Policy” and click in the box that has “Allow Service | Port | For” at the top. Then click on the Add Rule button. Enter the port you choose and SSH as the name. Then select “Everyone” and click Add.
You will need to dig through the output to find your IP address. Here is the relevant piece of the output I see:
Now go to another Linux or Mac OS X computer on the same network.
Technically you can use the same computer, but it’s not as good of a
demo. Type this:
For example, I would type:
You may get a message about the server’s RSA key. This is normal and typing yes will bypass the message. Then you should get a prompt for your password. Enter your password and you will be inside your other machine.
This was discussed in part 1, so I suggest you read that. The basic lesson is that you probably shouldn’t use port 22 (the default).
What this line says is to only listen on network connections where
your computer’s IP is, in this case, 192.168.1.175. This is useful for a
number of reasons. For example, if you have multiple network
connections (such as an ethernet connection and a WiFi connection), you
could tell SSH to only work on one of those connections. Also, if you
were at a coffee shop or some other public WiFi, you would probably not
have the same IP address that you do on your own network (depending on
your network’s configuration). Basically, it’s just a generally good
idea to specify what IP address SSH should listen on. Getting your IP
address was also covered in part 1. The quick version is that executing ifconfig should tell you.
There are two versions of the SSH protocol. SSH 1 is old and potentially insecure. Make sure you are only allowing protocol 2 with the line above. This should really already be in your default configuration, but if it isn’t, add it.
Once again, this is pretty straight-forward and is probably already in your configuration. You shouldn’t usually login to root locally, so why would you let remote users login to root? You can still sudo or whatever.
This option allows you to specify which user(s) should be allowed to login via SSH. You may or may not want to add this, but if your only going to login with one account, it adds a small extra layer of security.
It is worth noting that a lot of these configurations are purely security through obscurity. Contrary to what some people say, I don’t believe there is anything wrong with that, as long as it’s not your only defense.
A properly configured home router should usually pretend not to exist by giving no reply to unsolicited communications from the outside. In other words, if I try to talk to your router without your router talking to my server, you router should ignore me as if no one was there. This gives you great security, since if no one knows you are there, it’s hard to attack you. (This does not, of course, have any effect on malware spread by email, the web, chat programs, etc.) Allowing your computer to be remotely accessed over the internet cuts a hole in that anonymity. Your router will have to start replying to requests on a particular port. This is dangerous, but not too dangerous as long as your securing everything correctly. (You can test how your router is configured with GRC’s SheildsUP! tool.)
From your router to your computer
Next, we need to redirect traffic from your router, which is the only place an external computer can connect to, to your computer. This feature is support by almost ever router, so don’t work. It’s fairly simple, too.
To your router Don’t worry, your almost there! The final step is to find a way to track your router’s changing IP address. (Yes, that changes too.)
Without paying your ISP extra, you can’t usually get a static IP for your router. Luckily, services like DynDNS.com (a free account is plenty) will give you a free subdomain that points to your router. For example:
username.dyndns.com would point to your routers IP
In order to get the IP to update, you need to enter your DynDNS account into your router settings. Once again, this is router specific, but look for a DDNS section in your router configuration.
ssh -p <em>port number</em> <em>username</em>@<em>dyndns username</em>.dyndns.com
A Note About Security
Allowing outside machines to access your computer is inherently risky. Assuming your router and/or firewall is properly configured, you will need to poke some holes in it. This potentially leaves you vulnerable to attack. Proceed at your own risk. Because security is a constantly changing issue, you are responsible for securing your own computer and network. You have been warned. If you are not behind a router or other physical firewall and you can’t explain why this is the case, do not proceed. I would also advise you to only try this on your home network, because your employer will probably dislike you messing with SSH, unless, of course, that’s your job.About SSH
SSH stands for secure shell. It is a protocol that allows you to access a computer across a network. We will use OpenSSH, an implementation of SSH, since it is the default on most Linux systems.Installing SSH
SSH is installed by default on almost every Linux distribution, however there is usually no SSH server, which is required to actually share your machine with SSH. Use your preferred package manager to install openssh-server.sudo apt-get install openssh-server
To check if OpenSSH is running type this:
ps -e | grep ssh
|
11032 ? 00:00:00 sshd
|
sudo /etc/init.d/ssh start
|
Basic Configuration
There are two steps to configuring your SSH sever. First you must edit the OpenSSH configuration file, then you have to open a hole in your firewall. To start, open the OpenSSH configuration file, which is usually located in /etc/ssh/sshd_config, with your favorite text editor.gksudo gedit /etc/ssh/sshd_config
|
# What ports, IPs and protocols we listen for
Port 4005
|
Opening ports in your software firewall
Next you need to open whatever port you choose in your software firewall, if you are using one. Most Linux distributions have one installed by default, so if you don’t know, you probably are using one. Most people should probably install Firestarter, which is a GUI front end to managing IPTables.
sudo apt-get install firestarter
|
Open Firestarter and follow the setup wizard. Then click on the Policy tab. Select “Inbound Traffic Policy” and click in the box that has “Allow Service | Port | For” at the top. Then click on the Add Rule button. Enter the port you choose and SSH as the name. Then select “Everyone” and click Add.
Testing it out
You are now ready to test it out. Get your IP address on your local network with this command: ifconfig
|
wlan0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:<strong>
192.168.1.175</strong>
Bcast:192.168.1.255 Mask:255.255.255.0
|
ssh -p <em>port number</em> <em>username</em>@<em>ip address</em>
|
ssh -p 4005 thomas@192.168.1.175
|
You may get a message about the server’s RSA key. This is normal and typing yes will bypass the message. Then you should get a prompt for your password. Enter your password and you will be inside your other machine.
Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently
added '192.168.1.175'
(RSA) to the list of known hosts. thomas@192.168.1.175's password:
Congratulations! SSH is up and running.
Now i will teach you how to
access your computer from another computer across the internet.
A Note About Security
Allowing outside machines to access your computer is inherently risky. Assuming your router and/or firewall is properly configured, you will need to poke some holes in it. This potentially leaves you vulnerable to attack. Proceed at your own risk. Because security is a constantly changing issue, you are responsible for securing your own computer and network. You have been warned. If you are not behind a router or other physical firewall and you can’t explain why this is the case, do not proceed. I would also advise you to only try this on your home network, because your employer will probably dislike you messing with SSH, unless, of course, that’s your job.Security First
There are some security tweaks you can make to your /etc/ssh/sshd_config file. There are, of course, tons and tons of tweaks you can make. A complete guide to the OpenSSH configuration file is way, way beyond this guide, but I’ll cover a few things you can do:Port 4005 # Only listen on port 4005
# 4005 is just an example, this can be anything roughly between 1500 and 5000
|
This was discussed in part 1, so I suggest you read that. The basic lesson is that you probably shouldn’t use port 22 (the default).
ListenAddress 192.168.1.175
# Only listen on network interfaces with the IP 192.168.1.175
|
Protocol 2 # Only allow logins using SSH 2
|
There are two versions of the SSH protocol. SSH 1 is old and potentially insecure. Make sure you are only allowing protocol 2 with the line above. This should really already be in your default configuration, but if it isn’t, add it.
PermitRootLogin no
|
Once again, this is pretty straight-forward and is probably already in your configuration. You shouldn’t usually login to root locally, so why would you let remote users login to root? You can still sudo or whatever.
AllowUsers thomas # Only allow thomas to login
|
This option allows you to specify which user(s) should be allowed to login via SSH. You may or may not want to add this, but if your only going to login with one account, it adds a small extra layer of security.
It is worth noting that a lot of these configurations are purely security through obscurity. Contrary to what some people say, I don’t believe there is anything wrong with that, as long as it’s not your only defense.
Getting our of your local network
Time to access your computer across the internet. I’ll warn you about the risks again:A properly configured home router should usually pretend not to exist by giving no reply to unsolicited communications from the outside. In other words, if I try to talk to your router without your router talking to my server, you router should ignore me as if no one was there. This gives you great security, since if no one knows you are there, it’s hard to attack you. (This does not, of course, have any effect on malware spread by email, the web, chat programs, etc.) Allowing your computer to be remotely accessed over the internet cuts a hole in that anonymity. Your router will have to start replying to requests on a particular port. This is dangerous, but not too dangerous as long as your securing everything correctly. (You can test how your router is configured with GRC’s SheildsUP! tool.)
Getting a consistent IP address
The first step is to make sure that your computer always gets the same IP address. If you are using DHCP, and you probably are, then your computer will get a different IP address ever time you get on your network, usually in the range of 192.168.1.100 to 192.168.1.150 or so. You need to setup something called a static lease in which one computer, identified by a MAC address and a hostname, always gets the same IP address.From your router to your computer
Next, we need to redirect traffic from your router, which is the only place an external computer can connect to, to your computer. This feature is support by almost ever router, so don’t work. It’s fairly simple, too.
To your router Don’t worry, your almost there! The final step is to find a way to track your router’s changing IP address. (Yes, that changes too.)
Without paying your ISP extra, you can’t usually get a static IP for your router. Luckily, services like DynDNS.com (a free account is plenty) will give you a free subdomain that points to your router. For example:
username.dyndns.com would point to your routers IP
In order to get the IP to update, you need to enter your DynDNS account into your router settings. Once again, this is router specific, but look for a DDNS section in your router configuration.
All done
Ok. If you’ve made it this far, congratulations! You should now be able to access your computer from any other computer on the internet (with an SSH client, of course), using this command:ssh -p <em>port number</em> <em>username</em>@<em>dyndns username</em>.dyndns.com
