Debian SSH Configuration
Introduction
Secure Shell (SSH) is a cryptographic network protocol that enables secure communication over an unsecured network. On Debian systems, SSH provides a secure way to access remote servers, execute commands, manage files, and tunnel network connections. This guide will walk you through the complete process of configuring SSH on Debian systems, from installation to advanced security hardening techniques.
SSH operates on a client-server model, allowing you to connect from your local machine (client) to remote servers. All data transmitted between the client and server is encrypted, protecting your information from eavesdropping and man-in-the-middle attacks.
Installing SSH on Debian
The SSH server component is called OpenSSH Server (package name: openssh-server
), while the client component is OpenSSH Client (package name: openssh-client
). On most Debian installations, the client is pre-installed, but you'll need to install the server to accept incoming connections.
Installing the SSH Server
sudo apt update
sudo apt install openssh-server
After installation, the SSH service should start automatically. You can verify its status with:
sudo systemctl status ssh
Output:
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2023-10-09 14:30:45 UTC; 5s ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 1234 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 1235 (sshd)
Tasks: 1 (limit: 4915)
Memory: 1.1M
CPU: 25ms
CGroup: /system.slice/ssh.service
└─1235 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
If you need to manually start, stop, or restart the SSH service:
sudo systemctl start ssh # Start the service
sudo systemctl stop ssh # Stop the service
sudo systemctl restart ssh # Restart the service
To enable SSH to start at boot:
sudo systemctl enable ssh
SSH Configuration Files
The main SSH configuration files on Debian are:
- Server configuration:
/etc/ssh/sshd_config
- Client configuration:
/etc/ssh/ssh_config
- User-specific client configuration:
~/.ssh/config
SSH Server Configuration
The /etc/ssh/sshd_config
file controls the behavior of the SSH server. Let's explore some important settings:
sudo nano /etc/ssh/sshd_config
Here are key directives you might want to modify:
Port Setting
# Change the default SSH port (default is 22)
Port 22
Changing the default port can reduce automated attacks, but remember that you'll need to specify this port when connecting.
Protocol Version
Modern SSH servers use Protocol 2 exclusively, which is more secure than Protocol 1:
# Only use SSH protocol version 2
Protocol 2
Connection Settings
# Number of authentication attempts permitted
MaxAuthTries 6
# Maximum number of concurrent unauthenticated connections
MaxStartups 10:30:100
# Client alive interval in seconds (server checks if client is alive)
ClientAliveInterval 300
# Maximum client alive count (number of checks before disconnecting)
ClientAliveCountMax 3
# Timeout in seconds for login
LoginGraceTime 120
Authentication Settings
# Disable root login
PermitRootLogin no
# Disable password authentication (require key-based authentication)
PasswordAuthentication no
# Disable empty passwords
PermitEmptyPasswords no
# Enable public key authentication
PubkeyAuthentication yes
# Configure authorized keys file location
AuthorizedKeysFile .ssh/authorized_keys
After making changes to the configuration file, you need to restart the SSH service:
sudo systemctl restart ssh
Setting Up Key-Based Authentication
Key-based authentication is more secure than passwords. It uses a pair of cryptographic keys: a private key on your client and a public key on the server.
Step 1: Generate SSH Key Pair on Your Client
On your local machine (not the server), generate an SSH key pair:
ssh-keygen -t ed25519 -C "[email protected]"
Ed25519 is a modern, secure and efficient algorithm. If you need compatibility with older systems, you can use:
ssh-keygen -t rsa -b 4096 -C "[email protected]"
You'll be prompted to provide a file path and passphrase:
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/username/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
This creates:
- Private key:
~/.ssh/id_ed25519
- Public key:
~/.ssh/id_ed25519.pub
Step 2: Copy the Public Key to Your Server
There are two ways to do this:
Option 1: Using ssh-copy-id (Easiest)
ssh-copy-id username@server_ip
If you're using a non-standard port:
ssh-copy-id -p port_number username@server_ip
Option 2: Manual Copy
First, display your public key:
cat ~/.ssh/id_ed25519.pub
Then, on your server, create the .ssh
directory and the authorized_keys
file if they don't exist:
mkdir -p ~/.ssh
touch ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Add your public key to the authorized_keys
file:
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8dkVOJ0ij1etgar9RgQ1xEwooF3SJYYKfS3U1CxvCn [email protected]" >> ~/.ssh/authorized_keys
Step 3: Test the Connection
Try connecting to your server:
ssh username@server_ip
If you're using a custom port:
ssh -p port_number username@server_ip
Configuring SSH Client
The system-wide client configuration is in /etc/ssh/ssh_config
, but you can also create a user-specific configuration in ~/.ssh/config
.
Creating a User Configuration File
touch ~/.ssh/config
chmod 600 ~/.ssh/config
nano ~/.ssh/config
Example Configuration
Here's an example configuration with various options:
# Default for all hosts
Host *
ForwardAgent no
ForwardX11 no
PasswordAuthentication no
IdentityFile ~/.ssh/id_ed25519
ServerAliveInterval 60
ServerAliveCountMax 30
# Specific server configuration
Host myserver
HostName 192.168.1.100
Port 2222
User myusername
IdentityFile ~/.ssh/specific_key
# GitHub configuration
Host github.com
HostName github.com
User git
IdentityFile ~/.ssh/github_key
With this configuration, you can simply use ssh myserver
instead of ssh -p 2222 [email protected]
.
Securing Your SSH Server
Here are additional security measures for your SSH server:
1. Use SSH Keys Exclusively
Edit /etc/ssh/sshd_config
:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
2. Implement Fail2Ban
Fail2Ban helps protect against brute force attacks by temporarily banning IP addresses with too many failed login attempts.
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Create a custom jail configuration:
sudo nano /etc/fail2ban/jail.d/ssh.conf
Add the following content:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
Restart Fail2Ban:
sudo systemctl restart fail2ban
3. Restrict SSH Access to Specific Users
In /etc/ssh/sshd_config
:
# Allow only specific users
AllowUsers user1 user2
# Alternatively, allow only specific groups
AllowGroups sshusers admins
4. Configure Firewall Rules
Using UFW (Uncomplicated Firewall):
sudo apt install ufw
sudo ufw allow 22/tcp # Or your custom SSH port
sudo ufw enable
5. Use TCP Wrappers
Edit /etc/hosts.allow
:
sshd: 192.168.1.0/24, 10.0.0.0/8
Edit /etc/hosts.deny
:
sshd: ALL
This allows connections only from specific IP ranges.
SSH Tunneling
SSH tunneling allows you to securely forward traffic through an encrypted SSH connection.
Local Port Forwarding
This forwards a port from your local machine to a remote server.
ssh -L local_port:destination_host:destination_port username@ssh_server
Example: Access a remote web server through SSH tunnel:
ssh -L 8080:internal-web-server:80 username@ssh_server
Now you can access the remote web server by browsing to http://localhost:8080
.
Remote Port Forwarding
This forwards a port from the server to your local machine.
ssh -R remote_port:local_host:local_port username@ssh_server
Example: Make your local web server accessible through a remote server:
ssh -R 8080:localhost:80 username@ssh_server
Dynamic Port Forwarding (SOCKS Proxy)
This creates a SOCKS proxy on your local machine.
ssh -D local_port username@ssh_server
Example:
ssh -D 1080 username@ssh_server
Then configure your browser to use SOCKS proxy at localhost:1080.
SSH Connection Flow
Here's a diagram of how SSH connections work:
SCP and SFTP
SSH also enables secure file transfers using SCP (Secure Copy) and SFTP (SSH File Transfer Protocol).
Using SCP
Copy a local file to a remote server:
scp /path/to/local/file username@server_ip:/path/to/remote/directory
Copy a remote file to your local machine:
scp username@server_ip:/path/to/remote/file /path/to/local/directory
For recursive copying of directories:
scp -r /path/to/local/directory username@server_ip:/path/to/remote/directory
Using SFTP
Start an interactive SFTP session:
sftp username@server_ip
Common SFTP commands:
pwd # Print working directory on remote
lpwd # Print working directory on local
ls # List files on remote
lls # List files on local
cd # Change directory on remote
lcd # Change directory on local
get file # Download file
put file # Upload file
exit # Exit SFTP
Troubleshooting SSH
Here are some common issues and their solutions:
Connection Refused
If you see Connection refused
:
-
Check if the SSH service is running:
bashsudo systemctl status ssh
-
Verify firewall settings:
bashsudo ufw status
-
Check if SSH is listening on the expected port:
bashsudo ss -tuln | grep ssh
Permission Denied
If you see Permission denied
:
-
Verify you're using the correct username and password/key.
-
Check the permissions on your key files:
bashchmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 600 ~/.ssh/config -
Check the server logs:
bashsudo tail -f /var/log/auth.log
Slow SSH Connection
If SSH connections are slow to establish:
-
Add the following to your client's
~/.ssh/config
:Host *
GSSAPIAuthentication no
AddressFamily inet -
Avoid DNS lookups in the server by adding this to
/etc/ssh/sshd_config
:UseDNS no
Debugging Connection Issues
Use verbose mode for troubleshooting:
ssh -vvv username@server_ip
This provides detailed information about the connection process.
Summary
SSH is a powerful tool for secure remote access and management of Debian systems. In this guide, we've covered:
- Installing and configuring the SSH server
- Setting up key-based authentication
- Securing your SSH server with best practices
- Using SSH tunneling for secure network access
- Transferring files with SCP and SFTP
- Troubleshooting common SSH issues
By implementing these practices, you can ensure that your remote connections are secure, efficient, and well-managed.
Additional Resources
Exercises
- Install the SSH server on your Debian system and connect to it from another machine.
- Generate SSH keys and set up key-based authentication.
- Modify the SSH server configuration to use a non-standard port and disable root login.
- Create a custom SSH client configuration for connecting to multiple servers.
- Set up a local port forwarding to access a web server running on a remote machine.
- Configure Fail2Ban to protect your SSH server from brute force attacks.
- Use SFTP to transfer files between your local machine and the server.
- Set up SSH access for a specific group of users only.
If you spot any mistakes on this website, please let me know at [email protected]. I’d greatly appreciate your feedback! :)