Ubuntu Linux install and configure OpenSSH (SSHD) server

Posted by Vivek Gite [Last updated: March 30, 2007]

I am totally impressed with new Ubuntu Linux server. Default installation did not install any single service

This gives pretty good control over box. Following command returned nothing:
$ sudo netstat -tulpn

However sshd is bare minimum these days and it should be installed by default.

To install openssh server type following command:
$ sudo apt-get install openssh-server

Make sure openssh is running:
$ netstat -tulpnOutput:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp6       0      0 :::22                   :::*                    LISTEN     3458/sshd

Now we will tight openssh security. First change default 22 port to something else like 512. This will avoid automated tools login into your box:
$ sudo su - # vi /etc/ssh/sshd_config
Find line that read as follows:
Port 22
Replace port 22 with 512:
Port 512
Save and close the file. Restart sshd:
# /etc/init.d/ssh restartOutput:

 * Restarting OpenBSD Secure Shell server...

Finally make sure you open port 512 using iptables. Type the following command to list current firewall rules:
$ sudo iptables -L -n
Output:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:6881:6882
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:514
ACCEPT     all  --  192.168.1.100        0.0.0.0/0
ACCEPT     all  --  192.168.1.101        0.0.0.0/0
ACCEPT     all  --  192.168.1.102        0.0.0.0/0
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Use GUI program such as firestarter to manage and open port 22 (ssh port).
$ sudo firestarter &

Updated for accuracy.

Tell us how we're doing: Please answer a few questions about your experience to help us improve nixCraft.

Discussion on This Article:

alex Says: November 9th, 2006 at 2:19 pm
short but to the point and of use!
rich Says: November 12th, 2006 at 11:30 am
shouldn’t package name be openssh-server, hyphen is in wrong place?
nixcraft Says: November 12th, 2006 at 12:29 pm
Rich,

Thanks for heads up! Article is updated!!!
Gabe Says: November 30th, 2006 at 9:01 pm
Hey! This ie exactly what I was looking for. Thanks so much!
neon Says: January 31st, 2007 at 7:49 am
Well it seems to match. However SSH still isn’t working.
nixcraft Says: February 1st, 2007 at 10:01 pm
neon.

What error you are getting?
Cappy Says: February 15th, 2007 at 12:56 am
Hm … I can SSH into my server when the port is set to 22 but as soon as I set it up to a high number (30,000) and restart the ssh server all I get are server rejections. ssh -p 30000 cappy@127.0.0.1 just won’t work =(
nixcraft Says: February 15th, 2007 at 4:17 am
Make sure firewall is not blocking your port 30000. Run following command to see current iptables.
sudo iptables -L -n
OR
iptables -L -n

Also /etc/hosts.allow and /etc/hosts.deny can block access.
Fulano Says: February 27th, 2007 at 7:38 am
I followed the instructions and I seem to be going alright, I can ssh locally as another user but I cannot seem to log in from remote locations, just seems to time out. Any ideas?
Cappy Says: February 27th, 2007 at 9:12 am
The problem was that I ran “/etc/init.d/ssh restart” as a user and not as an admin. It ended up giving a bunch of RSA errors and somehow prevented the system from switching ports when I then ran it from root. A simple reboot fixed it. Thanks for the guide!
xain Says: March 29th, 2007 at 2:05 pm
what is the point that after changing port from 22 to 512, but still to make sure iptables open port 22?
nixcraft Says: March 30th, 2007 at 3:20 am
xain,

It was typo and post has been updated. Thanks for heads up.
Markku Says: April 1st, 2007 at 8:42 pm
I cant get it to work. When i try to run openssh-server it just says fail.
sungmin Says: June 17th, 2007 at 8:09 pm
what is difference with login in with login and password and with PUB key ? also what if I have 10 users who needs to login to my Linux box, what is best way for them to login ? with login and password or with PUB KEYS ?
brandon Says: October 29th, 2007 at 3:40 am
I can ssh from ubuntu to osX, but not from osX to ubuntu. I had the same situation where I could go from winXP to osX, but not the other way. Since it works ubuntu to osX does that mean I need to switch the dsa keys around, or do they work but ways? So, it seems like the problem must be in ubuntu’s firewall or the router’s portforwarding. When I setup portforwarding I feel like I should open port 22 for the mac’sip if i want to get into the mac. Strangely that doesn’t work, but when I open port 22 for 192.168.0.1 (the router’s ip) then I can ssh into the mac. I want to have SAMBA and VNC forwarded over ssh. I want the ubuntu to be headless but then I want to open VLC on the mac and watch a movie from the ubuntu. Once long ago I was able to get VNC to work both ways with a mac and a win2k machine. I don’t know what I’m doing wrong.
loh Says: March 22nd, 2008 at 3:05 pm
First time installing ubuntu 7.10. This was very helpful.