OpenSSH Server: Setting Up and Managing SSH Services

Overview

The OpenSSH Server package provides 'sshd' (SSH Daemon), which listens for and processes connection requests from SSH clients. It is a core component for secure remote system access, enhancing security through data encryption and robust authentication mechanisms.

Key Features

Remote login and shell access (SSH)
Secure file transfer (SCP, SFTP)
Port forwarding and tunneling
Support for various authentication methods (password, public key, GSSAPI, etc.)

Installation

OpenSSH Server is often not included by default in most Linux distributions or may be excluded during minimal installations. Here's how to install OpenSSH Server on major distributions.

Debian/Ubuntu

sudo apt update
sudo apt install openssh-server

Install using the APT package manager.

CentOS/RHEL/Fedora

sudo yum install openssh-server
# Or using dnf
sudo dnf install openssh-server

Install using the YUM or DNF package manager.

Verify Service After Installation

After installation, check if the 'sshd' service starts automatically and enable it if necessary.

Check and Enable Service

sudo systemctl status sshd
sudo systemctl enable sshd --now

Key Options

The main configuration for OpenSSH Server is done through the '/etc/ssh/sshd_config' file. Here are some commonly used options in this configuration file.

sshd_config Settings

Generated command:

Try combining the commands.

Description:

`openssh-server` Executes the command.

Combine the above options to virtually execute commands with AI.

Usage Examples

Common usage examples related to the configuration and management of OpenSSH Server.

Start/Stop/Restart sshd Service

sudo systemctl start sshd
sudo systemctl stop sshd
sudo systemctl restart sshd

Control the sshd service on systems using systemd.

Check sshd Service Status

sudo systemctl status sshd

Check the current status of the sshd daemon.

Change SSH Port (Modify sshd_config)

sudo sed -i 's/^#Port 22/Port 2222/' /etc/ssh/sshd_config
sudo systemctl restart sshd

Example of changing the default SSH port (22) to 2222. After modifying the file, you must restart the sshd service.

Disable Root Login

sudo sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

Enhance security by setting PermitRootLogin to 'no' in sshd_config.

Allow Only Specific Users to Connect

echo 'AllowUsers myuser' | sudo tee -a /etc/ssh/sshd_config
sudo systemctl restart sshd

Add the 'AllowUsers' option to sshd_config to permit SSH access only for the 'myuser' user.

Tips & Precautions

Tips and precautions for operating OpenSSH Server securely and efficiently.

Security Enhancement Tips

**Change the default port (22)**: This can reduce exposure to brute-force attacks.
**Disable password authentication and use public key authentication**: This is the strongest authentication method. Passwords are susceptible to guessing or leakage.
**Disable root login**: Since the root account has all privileges, it is safer to disallow direct login and use `sudo` after logging in with a regular user account.
**Allow only specific users/groups**: Restrict connectable accounts using the `AllowUsers` or `AllowGroups` options.
**Configure firewall**: Set up a firewall (ufw, firewalld, etc.) to allow external access only to the SSH port (default 22 or the changed port).
**Install Fail2ban**: This tool blocks IPs that repeatedly fail login attempts, defending against brute-force attacks.

Precautions When Changing Configuration

After modifying the sshd_config file, always check for syntax errors using `sudo sshd -t` before restarting the service with `sudo systemctl restart sshd`. Restarting the service with incorrect configurations can make SSH access impossible.