Ubuntu Linux install and configure OpenSSH (SSHD) server

by Vivek Gite · 21 comments

I am totally impressed with new Ubuntu Linux server. Default installation did not install any single service :)

This gives pretty good control over box. Following command returned nothing:
$ sudo netstat -tulpn

However sshd is bare minimum these days and it should be installed by default.

To install openssh server type following command:
$ sudo apt-get install openssh-server

Make sure openssh is running:
$ netstat -tulpnOutput:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp6       0      0 :::22                   :::*                    LISTEN     3458/sshd

Now we will tight openssh security. First change default 22 port to something else like 512. This will avoid automated tools login into your box:
$ sudo su -
# vi /etc/ssh/sshd_config

Find line that read as follows:
Port 22
Replace port 22 with 512:
Port 512
Save and close the file. Restart sshd:
# /etc/init.d/ssh restartOutput:

 * Restarting OpenBSD Secure Shell server... 

Finally make sure you open port 512 using iptables. Type the following command to list current firewall rules:
$ sudo iptables -L -n
Output:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:6881:6882
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:514
ACCEPT     all  --  192.168.1.100        0.0.0.0/0
ACCEPT     all  --  192.168.1.101        0.0.0.0/0
ACCEPT     all  --  192.168.1.102        0.0.0.0/0
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Use GUI program such as firestarter to manage and open port 22 (ssh port).
$ sudo firestarter &

Updated for accuracy.

Featured Articles:

Want to read Linux tips and tricks, but don't have time to check our blog everyday? Subscribe to our daily email newsletter to make sure you don't miss a single tip/tricks. Subscribe to our weekly newsletter here!

{ 1 trackback }

Sudo-Root Password-Sharing files
08.20.09 at 7:41 pm

{ 20 comments… read them below or add one }

1 alex 11.09.06 at 2:19 pm

short but to the point and of use!

2 rich 11.12.06 at 11:30 am

shouldn’t package name be openssh-server, hyphen is in wrong place?

3 nixcraft 11.12.06 at 12:29 pm

Rich,

Thanks for heads up! Article is updated!!!

4 Gabe 11.30.06 at 9:01 pm

Hey! This ie exactly what I was looking for. Thanks so much!

5 neon 01.31.07 at 7:49 am

Well it seems to match. However SSH still isn’t working.

6 nixcraft 02.01.07 at 10:01 pm

neon.

What error you are getting?

7 Cappy 02.15.07 at 12:56 am

Hm … I can SSH into my server when the port is set to 22 but as soon as I set it up to a high number (30,000) and restart the ssh server all I get are server rejections. ssh -p 30000 cappy@127.0.0.1 just won’t work =(

8 nixcraft 02.15.07 at 4:17 am

Make sure firewall is not blocking your port 30000. Run following command to see current iptables.
sudo iptables -L -n
OR
iptables -L -n

Also /etc/hosts.allow and /etc/hosts.deny can block access.

9 Fulano 02.27.07 at 7:38 am

I followed the instructions and I seem to be going alright, I can ssh locally as another user but I cannot seem to log in from remote locations, just seems to time out. Any ideas?

10 Cappy 02.27.07 at 9:12 am

The problem was that I ran “/etc/init.d/ssh restart” as a user and not as an admin. It ended up giving a bunch of RSA errors and somehow prevented the system from switching ports when I then ran it from root. A simple reboot fixed it. Thanks for the guide!

11 xain 03.29.07 at 2:05 pm

what is the point that after changing port from 22 to 512, but still to make sure iptables open port 22?

12 nixcraft 03.30.07 at 3:20 am

xain,

It was typo and post has been updated. Thanks for heads up.

13 Markku 04.01.07 at 8:42 pm

I cant get it to work. When i try to run openssh-server it just says fail.

14 sungmin 06.17.07 at 8:09 pm

what is difference with login in with login and password and with PUB key ? also what if I have 10 users who needs to login to my Linux box, what is best way for them to login ? with login and password or with PUB KEYS ?

15 brandon 10.29.07 at 3:40 am

I can ssh from ubuntu to osX, but not from osX to ubuntu. I had the same situation where I could go from winXP to osX, but not the other way. Since it works ubuntu to osX does that mean I need to switch the dsa keys around, or do they work but ways? So, it seems like the problem must be in ubuntu’s firewall or the router’s portforwarding. When I setup portforwarding I feel like I should open port 22 for the mac’sip if i want to get into the mac. Strangely that doesn’t work, but when I open port 22 for 192.168.0.1 (the router’s ip) then I can ssh into the mac. I want to have SAMBA and VNC forwarded over ssh. I want the ubuntu to be headless but then I want to open VLC on the mac and watch a movie from the ubuntu. Once long ago I was able to get VNC to work both ways with a mac and a win2k machine. I don’t know what I’m doing wrong.

16 loh 03.22.08 at 3:05 pm

First time installing ubuntu 7.10. This was very helpful.

17 El Perro Loco 01.02.09 at 2:44 pm

Good article. Short, complete and to the point.
Thanks.

18 ssh_user 04.07.09 at 8:51 pm

Ubuntu 8.10 64 bits, no firewall active.
After changing ssh listning port from 22 to 2223, connecting fails, see dump below
Can somebody explain what can cause a ‘Read from socket failed: Connection reset by peer’. The question is in several forums, couldn’t find answers yet.

dump:

jaap@jaap-laptop:~$ ssh -p 2223 jaap@localhost -vvv
OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 2223.
debug1: Connection established.
debug1: identity file /home/jaap/.ssh/identity type -1
debug1: identity file /home/jaap/.ssh/id_rsa type -1
debug1: identity file /home/jaap/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-3ubuntu1
debug1: match: OpenSSH_5.1p1 Debian-3ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
Read from socket failed: Connection reset by peer
19 Japan Shah 07.06.09 at 5:15 am

Thanks it works !!!

20 I can't see to get this working 01.28.10 at 10:28 am

Hi,
I try installing Ubuntu Server 8.10, and i tell u, installation when just fine. I get stuck on the part where u need to configure /etc/network/interfaces, that, because i need the server to have a static IP. I have ADSL connection, and IP’s r assing by the modem/router (Thompson SpeedTouch). IP’s r configure as “start 10.0.0.34 – end 10.0.0.134″ “sbnetmask 255.255.255.0″ that’s in the modem/router, and obvious it gives me the router IP number. Now, if i want to assing a static IP to the server it should be some like “10.0.0.3″ SM “255.255.255.0″ and what is Broadcast, Network and some other’s that has to be edited with “VIM”. I mean, im from windows xp, and i want to host my own web page, and mail server, plus some sharing files locally, maybe log-on remotelly… that’s all i want; but this part is killing me. anyone willing to help please? thanks in advanced.

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Previous post:

Next post: