DEV Community: Hadi Samadzad

6 Tips to Use SSH Client Effectively For Connecting To Linux Servers

Hadi Samadzad — Fri, 03 Feb 2023 17:11:47 +0000

SSH is the most common tool to connect to a VPS. If you are someone who connects to servers as a part of their role, I have listed 6 easy-to-use and practical tips to make your experience more secure and productive.

Tip 1- Create SSH Profiles

SSH profiles are an interesting way to make it easy to connect to a server using SSH. Let's say you are using a custom username and port number to connect to your server, so each time you would like to connect to the VPS, you need to use ssh command like this:

ssh [USERNAME]@[IP_ADRESS] -p [PORT_NUMBER]

Finding and entering these ssh parameters each time can be frustrating. Instead, you can simply create a profile using the SSH config file, so the next time, you can connect using the profile name rather than connection info. Profiles are stored in the ~/.ssh/config file. The below code snippet shows the corresponding configuration for the above-mentioned connection info.

Host [PROFILE_NAME]
    HostName [IP_ADDRESS]
    User [USERNAME]
    IdentitiesOnly yes
    IdentityFile ~/.ssh/id_rsa
    Port [PORT_NUMBER]

Now, you can access the VPS only with the profile name benefiting auto-completion. Enjoyed it? jump to the next one to get more fun.

ssh [PROFILE_NAME]

Tip 2- Connect without a Password

Although having a strong password can effectively increase the security level of your VPS, recalling it each time you want to log in can be frustrating. The good news is that if you are using specific machines to log in to your servers, you can set a public/private key pair so that you don't need to provide a password each time.
First, you should generate an ssh key pair on your local machine; then, press enter button a couple of times until they are generated (These steps are to set a location, a filename and a passphrase but they can remain default).

# Create a key pair
ssh-keygen -t rsa

Now, you need to copy the generated key to the remote server using ssh-copy-id command.

ssh-copy-id [USERNAME]@[IP_ADDRESS] -p [PORT_NUMBER]

# or if you have already set a profile configuration
ssh-copy-id [PROFILE_NAME]

Try to connect to the remote server and you should be logged in without being prompted for a password. Just keep in mind, you should not use key pairs on shared machines as can be a security vulnerability.

Tip 3- Block root Access

Although some VPS hosting services provide connection configuration using an out-of-the-box admin user rather than root, generally, you will connect to the VPS using root access. Removing root access from SSH guarantees that the username must be provided at login time as root is the default username.
Be careful that before blocking the root access you need to create an admin user you are going to use instead of root. Otherwise, you may lose access to the VPS.
Another plus for blocking root access is avoiding unintentional changes on the server as new admin user access can be limited. To create a new so-called admin user on Ubuntu uses the below code snippet. As well, to prepare the created user for SSH login, you need to set a password as soon as you create that.

# Add a new user (e.g. admin)
sudo useradd -m admin

# Set a password for new user
sudo passwd admin

# Add user to sudoers' list
sudo usermod -aG sudo admin

Now, to remove the root access you need to set PermitRootLogin entry to no in the SSH config file located in /etc/ssh/sshd_config and restart the sshd service.

# Restart sshd service
systemctl restart sshd

EDITED-After implementing the previous tip, you might find it difficult to switch from admin to root by providing a password. You can do this much more simpler by removing the password prompt. To this end, you can add a new line of config to /etc/sudoers file after root ALL=(ALL:ALL) ALL.

admin    ALL=NOPASSWD:ALL

As well, you need to comment %sudo ALL=(ALL:ALL) ALL line to be like this:

#%sudo  ALL=(ALL:ALL) ALL

Now, you should be able to switch to root using su command. As a result, just after logging in with admin user, you can simply switch to root without getting any password prompt.

# Swith to root user without providing password
sudo su root

Tip 4- Changing SSH Port

Changing the port number is a simple way to hide a VPS from crawlers. SSH uses port 22 by default, however, you can simply modify it to any port number from 1024 to 65,535 (ports 0 to 1023 are reserved). Nevertheless, using a 5-digit and uncommon port number is recommended. To do this, you can modify the port number in /etc/ssh/sshd_config by setting Port entry and reset sshd service.

NOTE - Before updating the SSH port number, be sure that you have opened the new port number through ufw if the firewall is already active. I you don't know what this means, please don't touch the port number until you have read ufw tip in the below sections.

# Restart sshd service
sudo systemctl restart sshd

Tip 5- Block Unused Ports

Although firewall configuration is not an SSH-related tip, it is worth mentioning as it is a crucial step when you are trying to connect to a VPS. Using a firewall in Ubuntu is not that much complex as you might expect. In Ubuntu, there is an out-of-the-box firewall named Uncomplicated Firewall and as can be inferred from its name it's easy to use. ufw is the command-line tool for working with that. By activating ufw you can control the network stream using different filters like ports and IPs. To this end, you can use allow and deny commands to manage a port.
NOTE - Before activating the firewall, make sure the SSH port is allowed (default port 22 unless you have changed it before), otherwise, you will lose your access to the VPS.

# Open SSH port
sudo ufw allow ssh
# - OR -
sudo ufw allow [SSH_PORT]

# Block a port
sudo ufw deny [UNUSED_PORT]

# Activate firewall
sudo ufw enable

# Check firewall status
sudo ufw enable

Tip 6- Block ping Requests

Similar to Tip 5, this topic is not related to SSH, but it's a simple yet effective action to elevate the server's security. Ping service responds to icmp packets requested from a client and it is widely used to test whether a server is reachable over a specific IP address or not. However, it can be used by crawlers to find your server's IP address as you are responding to their ping requests.

To deactivate ping permanently (which means it won't be activated again after reboot) you need to switch to root user and set net.ipv4.icmp_echo_ignore_all = 1 in /etc/sysctl.conf file (append if it's not existing in the file) and run sysctl -p command afterwards. In some Linux distros, you may notice that the setting is gone. In this case, you can try to append the same line of setting to /etc/ufw/sysctl.conf file.

# Switch to root
su root

# Append the config file
nano /etc/sysctl.conf
# OR
nano /etc/ufw/sysctl.conf

ow sysctl -p

Now, you try to ping the server and make sure that it's working.

Final Words!

These tips will help you to have a better experience in working with an SSH client. Keep in mind, if you find something tedious in your everyday work, you may find a better way to do that. Just be careful, in working with a VPS, a simple mistake may result in a major security risk or maybe a loss in your access to your server.

Beginners’ Guide To Run A Linux Server Securely

Hadi Samadzad — Tue, 17 Jan 2023 00:40:52 +0000

Easy steps to Linux Server hardening for Linux newbies

Linux could be a fantastic choice for your next cloud server. Imagine you can benefit from an up-to-date and fully-loaded operating system on a 90s hardware configuration of 512 MB and 1-core CPU. Apart from technical benefits, it is the cheapest option to have; so you may have decided to run your services on it. Although connecting to a server just using a single line command, keeping it secure could be a bit tricky. I will go through what you need to take some essential considerations for tackling common security risks with server hardening.

Choosing a Distro to Start

Unlike Windows and macOS, Linux is a family of open-source operating systems and many different distros are published up to now. Some of the most popular Linux distros are Red Hat, CentOS, Fedora, Debian, Ubuntu, Kali, Mint, etc. However, from a high-level point of view, there are two major family distros: Red Hat-based and Debian-based.

For many Linux beginners, it is a matter of high significance to choose a distro as a starting point. Although you can take your time to thoroughly investigate different options, the best course would be just starting with one of them and be sure you will enjoy the taste of Linux with all of them. By the way, if you have no idea and just want to start, my recommendation is to choose Ubuntu thanks to its community and its myriad of available documents.

Ubuntu is a Debian-based Linux distribution introduced by Canonical in 2004. There are three editions of Ubuntu: Desktop, Server, and Core. The second edition as its name shows is considered to be used for servers. Against the Desktop edition, Ubuntu Server doesn’t comprise any graphical user interface and you may use a command-line tool named bash to manage the server.

Connecting to Server

No matter which provider you choose to buy a server from, after ordering a VPS you need to acquire its connection info. Generally, it should be dropped in your inbox as soon as you check out your order. All you need to connect and set up your machine are two things: the server’s address and its root password.

To connect to the server, you may need an application that supports SSH which is a protocol for communication between two computers. Does not matter if you are using Windows or macOS, you can connect to your server using the ssh command in a command-line tool like this:

ssh [USER]@[SERVER_IP_Address]

Possibly, providers do not mention the username but you should know the username is root*. *By executing the ssh command, you will be prompted to insert the password and by providing that, you will log in to your fantastic server.

Once you logged in, you can see a couple of information about the Ubuntu version and allocated hard disk capacity and can start loading your services, however, you may need to do further steps to secure your server as there are others intended to use your resources illegally without taking its responsibility. Therefore, it is crucial for you to apply at least some essential security measures on your newly bought machine.

Knowing The Threats

Suppose an evil wants to use your machine without your allowance, what do they need? Yeah, the server IP address and the password.

Although finding a combination of an unknown IP address and a random password might seem to be impossible, believe me, it is viable via a brute force tool as I have been a victim a couple of times. Just to have a clue check the server’s IP address using *ping *and you will see how a valid IP can be identified among many other invalid IP addresses.

ping [SERVER_IP_ADDRESS]

As soon as unauthorized access is attained, it is not predictable in which way they will use your resources with your responsibility. Let’s dive into some simple steps you can do to minimize the risks.

Adding some security

**Step 1 — Strong Password: **This is the first way that comes to mind. Based on password strength checker tools like this, if you use a random password it should be at least 10 characters in length so that it takes 1 day to be found by bots. As well, it may be much easier if you use a pattern to create your password, so, go for a longer password in length.

**Step 2 — Remove root access: **You can simply add another complexity to the SSH login by removing root access. This way, plus the IP address and password, the username must be provided to log in, as the default username which is root **is blocked. To this end, before blocking root access, you need to add a new sudoer user to the server.

# Add a user
sudo useradd -m {username}

# Set a password for new user
sudo passwd {username}

# Add the new user to sudoers' list
usermod -aG sudo {username}

Next, you should disable root login from ssh_config (you may need to install nano using apt install nano):

# Open SSH config file
nano /etc/ssh/sshd_config

Find PermitRootLogin, uncomment the line by removing # and set to no. The final state of this parameter should be as shown.

Then, after saving the file you need to restart ssh service.

systemctl restart sshd

Note: For many operations on the server you need an sudo access; so after login using the new user, you can switch back to root using su command.

su root

Step 3 — Change *ssh *port number: SSH uses a default port 22 which can be modified in the sshd_config config file. This change adds another complexity for connecting to the server because the port number has to be provided in the login. To this end, you must open the file again and change the value of Port to another number like 12345. Likewise, you need to restart ssh service again. Not to forget to mention that after changing the default port number you should provide that in the login.

ssh -p [NEW_PORT_NUMBER] [USER]@[SERVER_IP_Address]
# example: ssh -p 12345 admin@8.8.8.8

Conclusion

It is worth understanding how to tackle security risks. I mean, although it is difficult to guarantee that the server will be totally safe, adding complexity is a reasonable and effective approach for server hardening meaning that crawlers and bots must do much more effort to do their evil mean.