SSH stands for Secure Shell and it is a protocol that is used to securely access a remote server on a local network or internet for configuration, management, monitoring, and troubleshooting, etc.
In this article, I am going to discuss how you can manage a remote Linux server with the help of SSH.
I have executed all the commands on my Debian 10 machines.
Prerequisites
You need to have the following.
- Two Debian 10 machines with root privileges.
- An IP address, user name, and password of the remote machine.
- Internet connection on both machines.
How to install an open SSH server?
Once you have set up a new Linux machine in your infrastructure, it is important to make it ready for remote access. Therefore, it is mandatory to install open ssh on a remote server or machine you are trying to access.
Before you install an open SSH server, run the following command to update the repository.
apt-get update
Wait for the operation to complete.
After updating the repository, execute the following command with root privileges to install an open SSH server.
apt-get install openssh-server
When you are asked for confirmation, press ‘y’ from the keyboard and wait for the installation to finish. This may take several minutes to complete.
Configuring SSH-Server settings
Once the Open SSh has been installed on the server-side, we can edit it’s basic configuration settings. Open up the terminal and execute the following command with root privileges.
nano /etc/ssh/sshd_config
The following is the sample output.
You can change the various parameters in the above file.
By default, SSH listens on port 22. You can change to your desired port. You can also change the maximum sessions (MaxSessions) that can be established with the server simultaneously, 10 is the default value.
Changing SSH port of the server
As we have discussed, the server listens on port 22 by default. If you want to configure your server to listen to a specific port, here is the procedure.
Open up the terminal and execute the following command with root privileges.
nano /etc/ssh/sshd_config
A file should be opened up as shown in the above screenshot.
Locate Port 22 or #Port 22 and type your desired port number without the # sign.
It is recommended to use the port number between 1024 – 65535 because 0-1023 ports are reserved for specific services.
Suppose to assign 2222, write the following in the SSH configuration file.
Port 2222
Below is the sample output after changing the port number.
Restart the SSH service by executing the following command on the terminal.
service ssh restart
Enabling root login on the SSH server
By default, you cannot directly login to the SSH server with root privileges due to security reasons. If you want to enable this login, you need to make changes to the SSH server configuration file.
Open the terminal and run the following command with root privileges to open the configuration file.
nano /etc/ssh/sshd_config
Add the following line in the authentication block,
PermitRootLogin yes
Below is the sample output after making changes in the configuration file.
Restart the SSH service by running the following command on the terminal with root privileges.
service ssh restart
Reducing the failed login attempts to the SSH server
By default, you can make 6 attempts to log in to the SSH server. Once the value reaches half of 6, additional login failures are logged. If you want to change this value, you have to adjust the MaxAuthTries parameter in the SSH server configuration file.
Open up the terminal and execute the following command with root privileges.
Add the following line (suppose you want to set this value to 1) in the Authentication block.
MaxAuthTries 1
Below is the sample output after making changes in the file.
Restart the SSH service by running the following command on the terminal with root privileges.
service ssh restart
Below is the sample output.
After a single login failure, you will get too many authentication failures message as shown in the following screenshot.
Forcing the SSH server to listen to Specific IPs
By default SSH server listen to all IPs assigned to your SSH server. However, by making changes in the configuration file, you can force your SSH server to listen to specific IPs. Here is how.
Suppose I have two IP addresses (10.1.1.2 and 10.1.1.3) assigned to my interface as shown in the following screenshot. I want to force my server to listen to IP address 10.1.1.2.
Open up the terminal and run the following command with root privileges to open the SSH configuration file.
nano /etc/ssh/sshd_config
Add the following line in the top of the file,
ListenAddress 10.1.1.2
Below is the sample output after making changes in the configuration file.
Restart the SSH service by executing the following command on the terminal.
service ssh restart
Allowing or denying specific users or groups to log in to SSH server
By default, every user can remotely log in to the SSH server. However, you can allow or deny specific users or groups to log in to the SSH server.
Open up the terminal and run the following command with root privileges to open the SSH server configuration file.
nano /etc/ssh/sshd_config
Below is the sample output.
Suppose you want to allow only user ‘tony’ to remotely log in to the SSH server. No other user will be able to log in to the SSH server. If you have multiple users, they should be separated by a space.
Add the following line in the SSH server configuration file.
AllowUsers tony
Below is the sample configuration file after adding the line,
Restart the SSH service by running the following command with root privileges on the terminal,
service ssh restart
Similarly, if you want to allow all users to remotely connect to the SSH server but want to deny one or more, add the following lines in the server configuration file. The users should be separated by command. Suppose I want to deny only user ‘tony’, add the following line in the server configuration file.
DenyUsers tony
Below is the sample configuration file after adding the above line.
Restart the SSH service by running the following command with root privileges on the terminal.
service ssh restart
Similarly, you can allow and deny groups of users to log in to the SSH server by adding the following lines in the configuration file.
AllowGroups <groupname>
or
DenyGroups <groupname>
If you have multiple groups to allow or deny you can separate them with space.
The combination of allow and deny processed in the following order.
DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups
Changing login grace time
By default, you have 2 minutes to log in to a remote server after SSH. If you cannot log in to a remote server within 2 minutes, the SSH will disconnect. Here is how you can change the login grace time.
Open up the terminal and run the following command with root privileges to open the server configuration file.
nano /etc/ssh/sshd_config
Below is the sample output.
Locate the following line,
#LoginGraceTime 2m
Replace this line with your desired grace time, say 1 minute. The complete line should be,
LoginGraceTime 1m
Below is the sample configuration file after making changes.
Close the file and restart the SSH service by issuing the file command.
service ssh restart
How to install OpenSSH client
The Debian 10 machine which is going to access a remote machine or server is called a client and we need to install ‘open SSH client’ on it.
Open up the terminal and run the following command to update the repository.
apt-get update
Wait for the operation to complete.
As soon as the repository is updated, execute the following command to install an open SSH client.
apt-get install openssh-client
When you are asked for the confirmation, press Y from the keyboard. Installation may take several minutes, therefore, please be patient.
Execute the following command on both client and server to confirm that SSH service is running.
Once we have SSH running on both client and server on a remote machine, we can go head with remote management.
Connecting to remote Debian 10 server with SSH
In order to connect to the remote Debian 10 machine, you need to have its IP address, username, and password.
Following is the complete syntax of the command if your SSH server is listening on default port 22.
ssh <user@IPaddress>
You will be prompted for a user password, provide with the help of keyboard and hit Enter.
Suppose, the user is tony and the remote machine IP address is 10.1.1.2. Run the following command on the terminal.
ssh [email protected]
Below is the sample output.
You should now be safely connected as shown in the above screenshot.
However, if your SSH server is listening on some other port (suppose 2222). The complete syntax of the command should be as follows.
ssh -p <port number> user@IP address
Suppose, the user is tony and the remote machine IP address is 10.1.1.2. Run the following command on the terminal.
ssh -p 2222 [email protected]
Conclusion
So that was the tutorial on remotely managing a Linux Server with SSH. I hope you have enjoyed it.