How to install SSH ( How to access your Linux system over Internet )
A Note About Security
Allowing outside machines to access your computer is inherently
risky. Assuming your router and/or firewall is properly configured, you
will need to poke some holes in it. This potentially leaves you
vulnerable to attack. Proceed at your own risk. Because security
is a constantly changing issue, you are responsible for securing your
own computer and network. You have been warned. If you are not
behind a router or other physical firewall and you can’t explain why
this is the case, do not proceed. I would also advise you to only try
this on your home network, because your employer will probably dislike
you messing with SSH, unless, of course, that’s your job.
About SSH
SSH stands for secure shell. It is a protocol that allows you to
access a computer across a network. We will use OpenSSH, an
implementation of SSH, since it is the default on most Linux systems.
Installing SSH
SSH is installed by default on almost every Linux distribution,
however there is usually no SSH server, which is required to actually
share your machine with SSH. Use your preferred package manager to
install openssh-server
.sudo apt-get install openssh-server
To check if OpenSSH is running type this:
This command will list all running processes and then filter the list
to only display processes that include “ssh”. You should see a line
like this:
This means that OpenSSH is running. If you don’t see a line like that, try running this command:
sudo /etc/init.d/ssh start
|
(If two sshd instances are running, it may cause problems. You can usually fix this problem by issuing the command sudo killall sshd followed by sudo /etc/init.d/ssh start.)
Basic Configuration
There are two steps to configuring your SSH sever. First you must
edit the OpenSSH configuration file, then you have to open a hole in
your firewall. To start, open the OpenSSH configuration file, which is
usually located in /etc/ssh/sshd_config, with your favorite text editor.
gksudo gedit /etc/ssh/sshd_config
|
Part 2 of this series will discus more configuration options. For
now, most of the default configuration should be fine. The one part that
you should change now is the port. Your computer has a bunch of
different ports (specifically 65535 of them). Each port is like a door
that other computers can knock on. For example, when you visit a
website, the request goes out through port 80 and the website comes back
in through port 80. The first 1024 ports are reserved for specific
protocols. Port 22 happens to be reserved for SSH. It is not advisable,
however, to let your SSH server listen on that port, though, because an
attacker would most likely be scanning for open port 22′s. It is best to
change the port option in your OpenSSH configuration to a port number
greater than 1024 (and less than 65535). This makes it harder for an
attacker to guess which door to knock on. If none of that makes sense,
that’s OK. Just change the number after “Port” to a number between 1500
and 5000. While you might be able to use higher numbers, really high
port numbers will get you in trouble.
# What ports, IPs and protocols we listen for
Port 4005
|
Opening ports in your software firewall
Next you need to open whatever port you choose in your software
firewall, if you are using one. Most Linux distributions have one
installed by default, so if you don’t know, you probably are using one.
Most people should probably install Firestarter, which is a GUI front
end to managing IPTables.
sudo apt-get install firestarter
|
Open Firestarter and follow the setup wizard. Then click on the
Policy tab. Select “Inbound Traffic Policy” and click in the box that
has “Allow Service | Port | For” at the top. Then click on the Add Rule
button. Enter the port you choose and SSH as the name. Then select
“Everyone” and click Add.
Testing it out
You are now ready to test it out. Get your IP address on your local network with this command:
You will need to dig through the output to find your IP address. Here is the relevant piece of the output I see:
wlan0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:<strong>
192.168.1.175</strong>
Bcast:192.168.1.255 Mask:255.255.255.0
|
Now go to another Linux or Mac OS X computer on the same network.
Technically you can use the same computer, but it’s not as good of a
demo. Type this:
ssh -p <em>port number</em> <em>username</em>@<em>ip address</em>
|
For example, I would type:
ssh -p 4005 thomas@192.168.1.175
|
You may get a message about the server’s RSA key. This is normal and
typing yes will bypass the message. Then you should get a prompt for
your password. Enter your password and you will be inside your other
machine.
Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently
added '192.168.1.175'
(RSA) to the list of known hosts. thomas@192.168.1.175's password:
Congratulations! SSH is up and running.
Now i will teach you how to
access your computer from another computer across the internet.
A Note About Security
Allowing outside machines to access your computer is inherently
risky. Assuming your router and/or firewall is properly configured, you
will need to poke some holes in it. This potentially leaves you
vulnerable to attack. Proceed at your own risk. Because security
is a constantly changing issue, you are responsible for securing your
own computer and network. You have been warned. If you are not
behind a router or other physical firewall and you can’t explain why
this is the case, do not proceed. I would also advise you to only try
this on your home network, because your employer will probably dislike
you messing with SSH, unless, of course, that’s your job.
Security First
There are some security tweaks you can make to your /etc/ssh/sshd_config
file. There are, of course, tons and tons of tweaks you can make. A
complete guide to the OpenSSH configuration file is way, way beyond this
guide, but I’ll cover a few things you can do:
Port 4005 # Only listen on port 4005
# 4005 is just an example, this can be anything roughly between 1500 and 5000
|
This was discussed in part 1, so I suggest you read that. The basic
lesson is that you probably shouldn’t use port 22 (the default).
ListenAddress 192.168.1.175
# Only listen on network interfaces with the IP 192.168.1.175
|
What this line says is to only listen on network connections where
your computer’s IP is, in this case, 192.168.1.175. This is useful for a
number of reasons. For example, if you have multiple network
connections (such as an ethernet connection and a WiFi connection), you
could tell SSH to only work on one of those connections. Also, if you
were at a coffee shop or some other public WiFi, you would probably not
have the same IP address that you do on your own network (depending on
your network’s configuration). Basically, it’s just a generally good
idea to specify what IP address SSH should listen on. Getting your IP
address was also covered in part 1. The quick version is that executing ifconfig should tell you.
Protocol 2 # Only allow logins using SSH 2
|
There are two versions of the SSH protocol. SSH 1 is old and
potentially insecure. Make sure you are only allowing protocol 2 with
the line above. This should really already be in your default
configuration, but if it isn’t, add it.
Once again, this is pretty straight-forward and is probably already
in your configuration. You shouldn’t usually login to root locally, so
why would you let remote users login to root? You can still sudo or
whatever.
AllowUsers thomas # Only allow thomas to login
|
This option allows you to specify which user(s) should be allowed to
login via SSH. You may or may not want to add this, but if your only
going to login with one account, it adds a small extra layer of
security.
It is worth noting that a lot of these configurations are purely
security through obscurity. Contrary to what some people say, I don’t
believe there is anything wrong with that, as long as it’s not your only
defense.
Getting our of your local network
Time to access your computer across the internet. I’ll warn you about the risks again:
A properly configured home router should usually pretend not to exist
by giving no reply to unsolicited communications from the outside. In
other words, if I try to talk to your router without your router talking
to my server, you router should ignore me as if no one was there. This
gives you great security, since if no one knows you are there, it’s hard
to attack you. (This does not, of course, have any effect on malware
spread by email, the web, chat programs, etc.) Allowing your computer to
be remotely accessed over the internet cuts a hole in that anonymity.
Your router will have to start replying to requests on a particular
port. This is dangerous, but not too dangerous as long as your securing
everything correctly. (You can test how your router is configured with GRC’s SheildsUP! tool.)
Getting a consistent IP address
The first step is to make sure that your computer always gets the
same IP address. If you are using DHCP, and you probably are, then your
computer will get a different IP address ever time you get on your
network, usually in the range of 192.168.1.100 to 192.168.1.150 or so.
You need to setup something called a static lease in which one computer,
identified by a MAC address and a hostname, always gets the same IP
address.
From your router to your computer
Next, we need to redirect traffic from your router, which is the only
place an external computer can connect to, to your computer. This
feature is support by almost ever router, so don’t work. It’s fairly
simple, too.
To your router
Don’t worry, your almost there! The final step is to find a way to
track your router’s changing IP address. (Yes, that changes too.)
Without paying your ISP extra, you can’t usually get a static IP for your router. Luckily, services like DynDNS.com (a free account is plenty) will give you a free subdomain that points to your router. For example:
username.dyndns.com would point to your routers IP
In order to get the IP to update, you need to enter your DynDNS
account into your router settings. Once again, this is router specific,
but look for a DDNS section in your router configuration.
All done
Ok. If you’ve made it this far, congratulations! You should now be
able to access your computer from any other computer on the internet
(with an SSH client, of course), using this command:
ssh -p <em>port number</em> <em>username</em>@<em>dyndns username</em>.dyndns.com
