Ubuntu Linux install and configure OpenSSH (SSHD) server

by on November 9, 2006 · 25 comments· LAST UPDATED March 30, 2007

in , ,

I am totally impressed with new Ubuntu Linux server. Default installation did not install any single service :)

This gives pretty good control over box. Following command returned nothing:
$ sudo netstat -tulpn

However sshd is bare minimum these days and it should be installed by default.

To install openssh server type following command:
$ sudo apt-get install openssh-server

Make sure openssh is running:
$ netstat -tulpnOutput:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp6       0      0 :::22                   :::*                    LISTEN     3458/sshd

Now we will tight openssh security. First change default 22 port to something else like 512. This will avoid automated tools login into your box:
$ sudo su -
# vi /etc/ssh/sshd_config

Find line that read as follows:
Port 22
Replace port 22 with 512:
Port 512
Save and close the file. Restart sshd:
# /etc/init.d/ssh restartOutput:

 * Restarting OpenBSD Secure Shell server... 

Finally make sure you open port 512 using iptables. Type the following command to list current firewall rules:
$ sudo iptables -L -n
Output:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:6881:6882
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:514
ACCEPT     all  --  192.168.1.100        0.0.0.0/0
ACCEPT     all  --  192.168.1.101        0.0.0.0/0
ACCEPT     all  --  192.168.1.102        0.0.0.0/0
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4
DROP       all  --  0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Use GUI program such as firestarter to manage and open port 22 (ssh port).
$ sudo firestarter &

Updated for accuracy.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 25 comments… read them below or add one }

1 alex November 9, 2006 at 2:19 pm

short but to the point and of use!

Reply

2 rich November 12, 2006 at 11:30 am

shouldn’t package name be openssh-server, hyphen is in wrong place?

Reply

3 nixCraft November 12, 2006 at 12:29 pm

Rich,

Thanks for heads up! Article is updated!!!

Reply

4 Gabe November 30, 2006 at 9:01 pm

Hey! This ie exactly what I was looking for. Thanks so much!

Reply

5 neon January 31, 2007 at 7:49 am

Well it seems to match. However SSH still isn’t working.

Reply

6 nixCraft February 1, 2007 at 10:01 pm

neon.

What error you are getting?

Reply

7 Cappy February 15, 2007 at 12:56 am

Hm … I can SSH into my server when the port is set to 22 but as soon as I set it up to a high number (30,000) and restart the ssh server all I get are server rejections. ssh -p 30000 cappy@127.0.0.1 just won’t work =(

Reply

8 nixCraft February 15, 2007 at 4:17 am

Make sure firewall is not blocking your port 30000. Run following command to see current iptables.
sudo iptables -L -n
OR
iptables -L -n

Also /etc/hosts.allow and /etc/hosts.deny can block access.

Reply

9 Fulano February 27, 2007 at 7:38 am

I followed the instructions and I seem to be going alright, I can ssh locally as another user but I cannot seem to log in from remote locations, just seems to time out. Any ideas?

Reply

10 Cappy February 27, 2007 at 9:12 am

The problem was that I ran “/etc/init.d/ssh restart” as a user and not as an admin. It ended up giving a bunch of RSA errors and somehow prevented the system from switching ports when I then ran it from root. A simple reboot fixed it. Thanks for the guide!

Reply

11 xain March 29, 2007 at 2:05 pm

what is the point that after changing port from 22 to 512, but still to make sure iptables open port 22?

Reply

12 nixCraft March 30, 2007 at 3:20 am

xain,

It was typo and post has been updated. Thanks for heads up.

Reply

13 Markku April 1, 2007 at 8:42 pm

I cant get it to work. When i try to run openssh-server it just says fail.

Reply

14 sungmin June 17, 2007 at 8:09 pm

what is difference with login in with login and password and with PUB key ? also what if I have 10 users who needs to login to my Linux box, what is best way for them to login ? with login and password or with PUB KEYS ?

Reply

15 brandon October 29, 2007 at 3:40 am

I can ssh from ubuntu to osX, but not from osX to ubuntu. I had the same situation where I could go from winXP to osX, but not the other way. Since it works ubuntu to osX does that mean I need to switch the dsa keys around, or do they work but ways? So, it seems like the problem must be in ubuntu’s firewall or the router’s portforwarding. When I setup portforwarding I feel like I should open port 22 for the mac’sip if i want to get into the mac. Strangely that doesn’t work, but when I open port 22 for 192.168.0.1 (the router’s ip) then I can ssh into the mac. I want to have SAMBA and VNC forwarded over ssh. I want the ubuntu to be headless but then I want to open VLC on the mac and watch a movie from the ubuntu. Once long ago I was able to get VNC to work both ways with a mac and a win2k machine. I don’t know what I’m doing wrong.

Reply

16 loh March 22, 2008 at 3:05 pm

First time installing ubuntu 7.10. This was very helpful.

Reply

17 El Perro Loco January 2, 2009 at 2:44 pm

Good article. Short, complete and to the point.
Thanks.

Reply

18 ssh_user April 7, 2009 at 8:51 pm

Ubuntu 8.10 64 bits, no firewall active.
After changing ssh listning port from 22 to 2223, connecting fails, see dump below
Can somebody explain what can cause a ‘Read from socket failed: Connection reset by peer’. The question is in several forums, couldn’t find answers yet.

dump:

jaap@jaap-laptop:~$ ssh -p 2223 jaap@localhost -vvv
OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 2223.
debug1: Connection established.
debug1: identity file /home/jaap/.ssh/identity type -1
debug1: identity file /home/jaap/.ssh/id_rsa type -1
debug1: identity file /home/jaap/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-3ubuntu1
debug1: match: OpenSSH_5.1p1 Debian-3ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
Read from socket failed: Connection reset by peer

Reply

19 Japan Shah July 6, 2009 at 5:15 am

Thanks it works !!!

Reply

20 I can't see to get this working January 28, 2010 at 10:28 am

Hi,
I try installing Ubuntu Server 8.10, and i tell u, installation when just fine. I get stuck on the part where u need to configure /etc/network/interfaces, that, because i need the server to have a static IP. I have ADSL connection, and IP’s r assing by the modem/router (Thompson SpeedTouch). IP’s r configure as “start 10.0.0.34 – end 10.0.0.134″ “sbnetmask 255.255.255.0″ that’s in the modem/router, and obvious it gives me the router IP number. Now, if i want to assing a static IP to the server it should be some like “10.0.0.3″ SM “255.255.255.0″ and what is Broadcast, Network and some other’s that has to be edited with “VIM”. I mean, im from windows xp, and i want to host my own web page, and mail server, plus some sharing files locally, maybe log-on remotelly… that’s all i want; but this part is killing me. anyone willing to help please? thanks in advanced.

Reply

21 Samuel Berryman February 27, 2010 at 12:46 pm

I have just installed Ubuntu 9.10 and it is all working fine! However when I try to install openssh like it tells me to above i get the following error:

Reading Package Lists… Done
Building dependency tree
Reading state information… Done
package openssh-server is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package openssh-server has no installation candidate

I dont know why it is doing this and really could do with some help please!

Reply

22 Dmitry April 12, 2010 at 8:16 am

I had the same proplem.
All you need do is to update your system:
>sudo aptitude update

Reply

23 Melroy van den Berg May 21, 2010 at 9:33 pm

You can also try putty, i prefer that more then firestarter.

Reply

24 trioggle June 2, 2010 at 2:05 am

Firestarter is a firewall gui, putty is a shell client.

Reply

25 hejmiki September 10, 2010 at 3:06 pm

I think there is another TYPO

correct me if i’m wrong
You set up Port 22 –> Port 512

and then in your output of sudo iptables -L -n
there is no rule for accepting tcp on Port 512 but there is Port 514 (udp)

Reply

Leave a Comment

Previous post:

Next post: