Remote Server/Host Access and Root Login Using SSH

Learn about remote server/host access and root login using SSH in this guest post by Tajinder Kalsi, an information security and Linux expert.

Secure Shell (SSH) is a protocol that is used to log onto remote systems securely and is the most commonly used method for accessing remote Linux systems.

Getting ready

To see how to use SSH, you need two Ubuntu systems. One will be used as the server and the other as the client.

How to do it…

To use SSH, you can use freely available software called OpenSSH. Once the software is installed, it can be used by the ssh command. Take a look at how to use this tool in detail:

  1. If OpenSSH server is not already installed, it can be installed using the following command:

sudo apt-get install openssh-server

openssh-1

  1. Next, you need to install the client version of the software:

sudo apt-get install openssh-client

openssh-2

  1. For the latest versions, the SSH service starts running as soon as the software is installed. If it is not running by default, you can start the service by using the command:

sudo service ssh start

openssh-3

  1. Now, to log in to the server from any other system using SSH, you can use the following command:

ssh remote_ip_address

Here, remote_ip_address refers to the IP address of the server system. Also, this command assumes that the username on the client machine is the same as on the server machine:

openssh-4

If we want to log in for a different user, the command will be as follows:

ssh username@remote_ip_address

openssh-5

  1. Next, you need to configure SSH to use it as per your requirements. The main configuration file for sshd in Ubuntu is located at /etc/ssh/sshd_config. Before making any changes to the original version of this file, create a backup using the following command:

sudo cp /etc/ssh/sshd_config{,.bak}

The configuration file defines the default settings for SSH on the server system.

  1. Opening the file in a text editor, you can see that the default port declaration on which the sshd server listens for the incoming connections is 22. You can change this to any non-standard port to secure the server from random port scans, thus making it more secure. Suppose you change the port to 888, then the next time the client wants to connect to the SSH server, the command will be as follows:

ssh -p port_numberremote_ip_address

openssh-6

As you can see, when you run the command without specifying the port number, the connection is refused. When you mention the correct port number, the connection is established.

How it works…

SSH is used to connect a client program to an SSH server. On one system, you install the openssh-server package to make it the SSH server, and on the other system, you install the openssh-client package to use it as the client.

Now, keeping the SSH service running on the server system, you try to connect to it through the client.

You can use the configuration file of SSH to change the settings such as the default port for connecting.

Enabling and disabling root login over SSH

Linux systems have a root account that is enabled by default. Unauthorized users gaining root access to the system can be really dangerous.

You can disable or enable the root login for SSH as per your requirements to prevent the chances of an attacker getting access to the system.

Getting ready

You need two Linux systems to be used as server and client. On the server system, install the openssh-server package, as shown in the previous recipe.

How to do it…

First, take a look at how to disable SSH root login and then you’ll also see how to enable it again:

  1. First, open the main configuration file of SSH, /etc/ssh/sshd_config, in any editor:

sudo nano /etc/ssh/sshd_config

  1. Now look for the line that reads as follows:

PermitRootLogin yes

  1. Change the value yes to no. Then save and close the file:

PermitRootLogin no

openssh-7.png

  1. Once done, restart the SSH daemon service using the following command:

openssh-8

  1. Now try to log in as root. You should get an error:

Permission Denied

This is because the root login has been disabled:

openssh-9.png

  1. Now whenever you want to log in as root, you’ll first have to log in as a normal user. After this, you can use the su command and switch to the root user. So, the user accounts that are not listed in the /etc/sudoers file will not be able to switch to root user and the system will be more secure:

openssh-10

  1. Now, if you want to enable SSH root login again, you just need to edit the /etc/ssh/sshd_config file again and change the no option to yes:

PermitRootLogin yes

openssh-11.png

  1. Then restart the service again by using the following command:

openssh-12

  1. Now if you try to log in as root again, it will work:

openssh-13

How it works…

When you try to connect to a remote system using SSH, the remote system checks its configuration file at /etc/ssh/sshd_config. According to the details mentioned in this file, it decides whether the connection should be allowed or refused.

There’s more…

Suppose you have many user accounts on the systems. You need to edit the /etc/ssh/sshd_config file in such a way that remote access is allowed only to few mentioned users:

sudo nano /etc/ssh/sshd_config

Add the following line:

AllowUsers tajinder user1

Now restart the SSH service:

sudo service ssh restart

Now when you’ll try to log in with  user1, the login is successful. However, when you try to log in with user2, which has not been added in the /etc/ssh/sshd_config file, the login fails and you get  Permission denied error, as shown here:

openssh-14

That’s it! If this article piqued your interest in learning more about security with Linux, you can explore Practical Linux Security Cookbook – Second Edition. Packed with numerous hands-on recipes to secure a Linux environment from modern-day attacks, Practical Linux Security Cookbook – Second Edition is a must-read for all Linux users.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s