I am totally impressed with new Ubuntu Linux server. Default installation did not install any single service :)
This gives pretty good control over box. Following command returned nothing:
$ sudo netstat -tulpn
However sshd is bare minimum these days and it should be installed by default.
To install openssh server type following command:
$ sudo apt-get install openssh-server
Make sure openssh is running:
$ netstat -tulpnOutput:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp6 0 0 :::22 :::* LISTEN 3458/sshd
Now we will tight openssh security. First change default 22 port to something else like 512. This will avoid automated tools login into your box:
$ sudo su -
# vi /etc/ssh/sshd_config
Find line that read as follows:
Port 22
Replace port 22 with 512:
Port 512
Save and close the file. Restart sshd:
# /etc/init.d/ssh restartOutput:
* Restarting OpenBSD Secure Shell server...
Finally make sure you open port 512 using iptables. Type the following command to list current firewall rules:
$ sudo iptables -L -n
Output:
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6882 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:514 ACCEPT all -- 192.168.1.100 0.0.0.0/0 ACCEPT all -- 192.168.1.101 0.0.0.0/0 ACCEPT all -- 192.168.1.102 0.0.0.0/0 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Use GUI program such as firestarter to manage and open port 22 (ssh port).
$ sudo firestarter &
Updated for accuracy.
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- 10 Greatest Open Source Software Of 2009
- My 10 UNIX Command Line Mistakes
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
- Email this to a friend
- Download PDF version
- Printable version
- Comment RSS feed
- Last Updated: Mar/30/2007
{ 1 trackback }
{ 20 comments… read them below or add one }
short but to the point and of use!
shouldn’t package name be openssh-server, hyphen is in wrong place?
Rich,
Thanks for heads up! Article is updated!!!
Hey! This ie exactly what I was looking for. Thanks so much!
Well it seems to match. However SSH still isn’t working.
neon.
What error you are getting?
Hm … I can SSH into my server when the port is set to 22 but as soon as I set it up to a high number (30,000) and restart the ssh server all I get are server rejections. ssh -p 30000 cappy@127.0.0.1 just won’t work =(
Make sure firewall is not blocking your port 30000. Run following command to see current iptables.
sudo iptables -L -nOR
iptables -L -nAlso /etc/hosts.allow and /etc/hosts.deny can block access.
I followed the instructions and I seem to be going alright, I can ssh locally as another user but I cannot seem to log in from remote locations, just seems to time out. Any ideas?
The problem was that I ran “/etc/init.d/ssh restart” as a user and not as an admin. It ended up giving a bunch of RSA errors and somehow prevented the system from switching ports when I then ran it from root. A simple reboot fixed it. Thanks for the guide!
what is the point that after changing port from 22 to 512, but still to make sure iptables open port 22?
xain,
It was typo and post has been updated. Thanks for heads up.
I cant get it to work. When i try to run openssh-server it just says fail.
what is difference with login in with login and password and with PUB key ? also what if I have 10 users who needs to login to my Linux box, what is best way for them to login ? with login and password or with PUB KEYS ?
I can ssh from ubuntu to osX, but not from osX to ubuntu. I had the same situation where I could go from winXP to osX, but not the other way. Since it works ubuntu to osX does that mean I need to switch the dsa keys around, or do they work but ways? So, it seems like the problem must be in ubuntu’s firewall or the router’s portforwarding. When I setup portforwarding I feel like I should open port 22 for the mac’sip if i want to get into the mac. Strangely that doesn’t work, but when I open port 22 for 192.168.0.1 (the router’s ip) then I can ssh into the mac. I want to have SAMBA and VNC forwarded over ssh. I want the ubuntu to be headless but then I want to open VLC on the mac and watch a movie from the ubuntu. Once long ago I was able to get VNC to work both ways with a mac and a win2k machine. I don’t know what I’m doing wrong.
First time installing ubuntu 7.10. This was very helpful.
Good article. Short, complete and to the point.
Thanks.
Ubuntu 8.10 64 bits, no firewall active.
After changing ssh listning port from 22 to 2223, connecting fails, see dump below
Can somebody explain what can cause a ‘Read from socket failed: Connection reset by peer’. The question is in several forums, couldn’t find answers yet.
dump:
Thanks it works !!!
Hi,
I try installing Ubuntu Server 8.10, and i tell u, installation when just fine. I get stuck on the part where u need to configure /etc/network/interfaces, that, because i need the server to have a static IP. I have ADSL connection, and IP’s r assing by the modem/router (Thompson SpeedTouch). IP’s r configure as “start 10.0.0.34 – end 10.0.0.134″ “sbnetmask 255.255.255.0″ that’s in the modem/router, and obvious it gives me the router IP number. Now, if i want to assing a static IP to the server it should be some like “10.0.0.3″ SM “255.255.255.0″ and what is Broadcast, Network and some other’s that has to be edited with “VIM”. I mean, im from windows xp, and i want to host my own web page, and mail server, plus some sharing files locally, maybe log-on remotelly… that’s all i want; but this part is killing me. anyone willing to help please? thanks in advanced.