Linux SSH server

How to remotely manage a Linux server with SSH

by

SSH stands for Secure Shell and it is a protocol that is used to securely access a remote server on a local network or internet for configuration, management, monitoring, and troubleshooting, etc.

In this article, I am going to discuss how you can manage a remote Linux server with the help of SSH.

I have executed all the commands on my Debian 10 machines.

Prerequisites

You need to have the following.

  1. Two Debian 10 machines with root privileges.
  2. An IP address, user name, and password of the remote machine.
  3. Internet connection on both machines.

How to install an open SSH server?

Once you have set up a new Linux machine in your infrastructure, it is important to make it ready for remote access. Therefore, it is mandatory to install open ssh on a remote server or machine you are trying to access.

Before you install an open SSH server, run the following command to update the repository.

apt-get update

Wait for the operation to complete.

After updating the repository, execute the following command with root privileges to install an open SSH server.

apt-get install openssh-server

When you are asked for confirmation, press ‘y’ from the keyboard and wait for the installation to finish. This may take several minutes to complete.

Configuring SSH-Server settings

Once the Open SSh has been installed on the server-side, we can edit it’s basic configuration settings. Open up the terminal and execute the following command with root privileges.

nano /etc/ssh/sshd_config

The following is the sample output.

Edit the sshd_config file

You can change the various parameters in the above file.

By default, SSH listens on port 22. You can change to your desired port. You can also change the maximum sessions (MaxSessions) that can be established with the server simultaneously, 10 is the default value.

Changing SSH port of the server

As we have discussed, the server listens on port 22 by default. If you want to configure your server to listen to a specific port, here is the procedure.

Open up the terminal and execute the following command with root privileges.

nano /etc/ssh/sshd_config

A file should be opened up as shown in the above screenshot.

Locate Port 22 or #Port 22 and type your desired port number without the # sign.

It is recommended to use the port number between 1024 – 65535 because 0-1023 ports are reserved for specific services.

Suppose to assign 2222, write the following in the SSH configuration file.

Port 2222

Below is the sample output after changing the port number.

Change SSH port

Restart the SSH service by executing the following command on the terminal.

service ssh restart

Enabling root login on the SSH server

By default, you cannot directly login to the SSH server with root privileges due to security reasons. If you want to enable this login, you need to make changes to the SSH server configuration file.

Open the terminal and run the following command with root privileges to open the configuration file.

nano /etc/ssh/sshd_config

Add the following line in the authentication block,

PermitRootLogin yes

Below is the sample output after making changes in the configuration file.

Permit SSH root login

Restart the SSH service by running the following command on the terminal with root privileges.

service ssh restart

Reducing the failed login attempts to the SSH server

By default, you can make 6 attempts to log in to the SSH server. Once the value reaches half of 6, additional login failures are logged. If you want to change this value, you have to adjust the MaxAuthTries parameter in the SSH server configuration file.

Open up the terminal and execute the following command with root privileges.

Add the following line (suppose you want to set this value to 1) in the Authentication block.

MaxAuthTries 1

Below is the sample output after making changes in the file.

Configure max auth retries

Restart the SSH service by running the following command on the terminal with root privileges.

service ssh restart

Below is the sample output.

After a single login failure, you will get too many authentication failures message as shown in the following screenshot.

Forcing the SSH server to listen to Specific IPs

By default SSH server listen to all IPs assigned to your SSH server. However, by making changes in the configuration file, you can force your SSH server to listen to specific IPs. Here is how.

Suppose I have two IP addresses (10.1.1.2 and 10.1.1.3) assigned to my interface as shown in the following screenshot. I want to force my server to listen to IP address 10.1.1.2.

Configure listen IP of SSH server

Open up the terminal and run the following command with root privileges to open the SSH configuration file.

nano /etc/ssh/sshd_config

Add the following line in the top of the file,

ListenAddress 10.1.1.2

Below is the sample output after making changes in the configuration file.

Configure Listen IP address

Restart the SSH service by executing the following command on the terminal.

service ssh restart

Allowing or denying specific users or groups to log in to SSH server

By default, every user can remotely log in to the SSH server. However, you can allow or deny specific users or groups to log in to the SSH server.

Open up the terminal and run the following command with root privileges to open the SSH server configuration file.

nano /etc/ssh/sshd_config

Below is the sample output.

Edit SSHD Config file

Suppose you want to allow only user ‘tony’ to remotely log in to the SSH server. No other user will be able to log in to the SSH server. If you have multiple users, they should be separated by a space.

Add the following line in the SSH server configuration file.

AllowUsers tony

Below is the sample configuration file after adding the line,

Allow only specific users to connect to SSH

Restart the SSH service by running the following command with root privileges on the terminal,

service ssh restart

Similarly, if you want to allow all users to remotely connect to the SSH server but want to deny one or more, add the following lines in the server configuration file. The users should be separated by command. Suppose I want to deny only user ‘tony’, add the following line in the server configuration file.

DenyUsers tony

Below is the sample configuration file after adding the above line.

Deny users

Restart the SSH service by running the following command with root privileges on the terminal.

service ssh restart

Similarly, you can allow and deny groups of users to log in to the SSH server by adding the following lines in the configuration file.

AllowGroups <groupname>

or

DenyGroups <groupname>

If you have multiple groups to allow or deny you can separate them with space.

The combination of allow and deny processed in the following order.

DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups

Changing login grace time

By default, you have 2 minutes to log in to a remote server after SSH. If you cannot log in to a remote server within 2 minutes, the SSH will disconnect. Here is how you can change the login grace time.

Open up the terminal and run the following command with root privileges to open the server configuration file.

nano /etc/ssh/sshd_config

Below is the sample output.

Change SSH login grace time

Locate the following line,

#LoginGraceTime 2m

Replace this line with your desired grace time, say 1 minute. The complete line should be,

LoginGraceTime 1m

Below is the sample configuration file after making changes.

Configure Login grace time

Close the file and restart the SSH service by issuing the file command.

service ssh restart

How to install OpenSSH client

The Debian 10 machine which is going to access a remote machine or server is called a client and we need to install ‘open SSH client’ on it.

Open up the terminal and run the following command to update the repository.

apt-get update

Wait for the operation to complete.

As soon as the repository is updated, execute the following command to install an open SSH client.

apt-get install openssh-client

When you are asked for the confirmation, press Y from the keyboard. Installation may take several minutes, therefore, please be patient.

Execute the following command on both client and server to confirm that SSH service is running.

Install OpenSSH Client

Once we have SSH running on both client and server on a remote machine, we can go head with remote management.

Connecting to remote Debian 10 server with SSH

In order to connect to the remote Debian 10 machine, you need to have its IP address, username, and password.

Following is the complete syntax of the command if your SSH server is listening on default port 22.

ssh <user@IPaddress>

You will be prompted for a user password, provide with the help of keyboard and hit Enter.

Suppose, the user is tony and the remote machine IP address is 10.1.1.2. Run the following command on the terminal.

ssh [email protected]

Below is the sample output.

Connecting remotely by ssh

You should now be safely connected as shown in the above screenshot.

However, if your SSH server is listening on some other port (suppose 2222). The complete syntax of the command should be as follows.

ssh -p <port number> user@IP address

Suppose, the user is tony and the remote machine IP address is 10.1.1.2. Run the following command on the terminal.

ssh -p 2222 [email protected]

SSH Connection

Conclusion

So that was the tutorial on remotely managing a Linux Server with SSH. I hope you have enjoyed it.