SSH Server & SSH Keys & UFW Configure

In this post, we will see how we can install an SSH server on our Ubuntu Server in order to access it remotely, either from the Local Network or via the internet. We will also see the setting required to make the SSH service more secure for accessing through the public internet.

The following guide assumes that we have a server running in our home, on our local network, but the same can apply to a remote server running on a VPS service (like Digital Ocean, AWS, Linode, …). The only major change, is that if you a have a public server, you do not need to set any port forwarding as this applies only to home users.

Instal OpenSSH

First we need to install the SSH server sshd if not already available:

sudo apt install openssh-server

Verify that the service is running:

sudo systemctl status ssh

If not then start it and enable it as follows:

sudo systemctl enable ssh
sudo systemctl start ssh

Configure firewall

If we have a firewall running we must enable the ssh port in order to access the server. The default port for SSH is port 22, but we are going to change it later for security reasons. For now we will enable access for port 22.

If we have not installed or configured a firewall like ufw we can do that by:

# Install ufw
sudo apt install ufw
# Set default rule, to deny all incoming connections and allow all outgoing connections
sudo ufw default deny incoming

And then we can enable the only the port needed for SSH, by running the following commands:

sudo ufw allow ssh
sudo ufw enable
sudo ufw status verbose

The allow ssh command, allows port 22 by default.

If you already know the port number that you are going to use (e.g. port 44444) you can disable the default ssh port if previously enabled and enable the new port with the following commands:

sudo ufw deny ssh
sudo ufw allow 44444/tcp
sudo ufw enable
sudo ufw status verbose

Test SSH connection

From another computer that has an ssh client installed try connecting to the server, using the user you have access:

ssh user@server-ip

SSH Config

We will now edit the /etc/ssh/sshd_config that has all the configurations for the SSH server, in order to make the service more secure:

sudo vim /etc/ssh/sshd_config

Disallow root login

It is best to disable root ssh logins, because anyone can try to login as root if they guess the password. If you want to become root you can login as a user and then if you have sudo privileges you can run sudo su in order to become root.

Ubuntu by default has no way to login as root, you can only change to root from a sudo user, so this will not change much, but it is best practice:

PermitRootLogin no

Change port

This is probably the most important change you will have to make if you have a publicly available SSH service. A lot of brute-force attack are happening automatically from scripts and bots, and almost all of them try the default port 22. So try to find a new port, preferably over port 1024 which are the Registered ports and even better port 49152 which can be used by anyone:

Port 44444

Disallow password authentication

Another setting that will make the server very secure from unwanted login tries, is to disable Password Authentication completely. This means that you can only login to the server with SSH keys. If you are planing to configure SSH keys for the server to login without putting your password its best to disable it completely.

Be careful to change this after you have successfully configured the SSH keys on the Server and Client and you can login without a password, because if not you will be able to SSH in to the server:

PasswordAuthentication no

Allow specific users and groups

You can also, allow only specific users or groups on the system that will be able to login with SSH:

AllowUsers USER_NAME
AllowGroups GROUP_NAME

Max Tries and Sessions

MaxSessions specifies the maximum number of open sessions permitted per network connection. If you don’t plan to use the server concurrently from a lot of remote location its best to keep that number to a minimum. Also, the MaxAuthTries specifies the maximum number of authentication attempts permitted per connection:

MaxSessions 3
MaxAuthTries 6

Disable X11 Forwarding and TCP Forwarding

If you plan not to use a graphical window with the server, its based to disable X11 forwarding. Also, if you don’t plan to forward ports and services on the server to a client machine, its best to disable TCP forwarding:

AllowTcpForwarding no
X11Forwarding no

Restart SSH server

After all the changes in the sshd_config you will want to restart the service to enable the changes:

systemctl restart ssh

If you are connected with SSH, you will probably log out.

Port Forwarding

If you running the Server in your home or generally in a local network you will not be able to access the server outside your home. You will have to enable port forwarding in your router/modem for the port you chose for SSH, in order to forward the SSH traffic from your router to your computer running the SSH server.

Every router vendor has a different panel and setting to enable port-forwarding, you can find more info for your router on portforward.com, that have extensive guides for almost every router model.

Generally you want to configure the WAN port 22 to bind to the LAN port on 44444 (or whichever port you chose).

Configure SSH Keys

Create SSH Key pair

As we already mentioned, you can create an SSH key pair on your local computer (client) in order to use with the server to avoid typing password on every SSH login.

In order to do that we first have to create an RSA key pair on the client machine. We will assume it is a Unix machine, but you can replicate it easily to a Windows machine.

If you don’t already have an SSH key pair you can safely generate one with the ssh-keygen command:

ssh-keygen -t rsa -b 4096 -C "your@email.com"

This creates a new ssh key, using the provided email as a label.

> Generating public/private rsa key pair.

When you’re prompted to “Enter a file in which to save the key,” press Enter. This accepts the default file location. If you have already a key pair you can use this one, or you can generate another one but you have to change the name of the key or else it will replace the existing one with the default name id_rsa.

> Enter a file in which to save the key (/home/you/.ssh/id_rsa): [Press enter]

At the prompt, type a secure passphrase. Its safer to have a password, but less convenient.

Transfer public key to server

Replace the user and server with your username and the server address you wish to use the key authentication on.

This also assumes you saved the key pair using the default file name and location. If not, just replace the key path ~/.ssh/id_rsa.pub above with your own key name.

ssh-copy-id -i ~/.ssh/id_rsa.pub -p port user@server

Or ssh to the server and manually add it to authorized_keys:

echo "YOUR_SSH_PUBLIC_KEY" >> .ssh/authorized_keys

Links

• SSH config file for OpenSSH client
• How to Set up an SSH Server on a Home Computer
• List of TCP and UDP port numbers
• portforward.com
• How To Set Up SSH Keys
• How To Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server