Tag: ssh

  • How to change the SSH Port in Linux

    How to change the SSH Port in Linux

    By default SSH service runs on port 22. Running SSH service on port 22 is not secure as it can become an easy target for attackers who are scanning the network for open ports. By changing the default port, you can make it more difficult for attackers to find and exploit the SSH service.

    To change SSH port, edit file

    vi /etc/ssh/sshd_config

    In the file, find the line

    Port 22

    Change 22 to whatever port number you want. It is better to use a higher port number so it will be difficult for hackers to find.

    Restart SSH service

    On Debian/Ubuntu

    systemctl restart ssh

    On RHEL-based Linux (AlmaLinux, RockeyLinux, Oracle Linux, CentOS)

    systemctl restart sshd

    If you have a firewall, make sure you open the new port in the firewall.

    See ssh

  • SSH Server refused our key

    SSH Server refused our key

    I got the following error when logging in to a server using SSH key authentication.

    Server refused our key

    I checked the log file

    tail /var/log/secure

    found following error

    May 11 17:45:31 server58 sshd[18483]: Authentication refused: bad ownership or modes for file /home/video/.ssh/authorized_keys

    The problem is fixed by setting proper permission for the .ssh folder and key file.

    chmod 600 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

    See SSH

  • Force all SSH connection through Jump Host

    I want all my SSH connection go through a VPS so my IP address stay same even if my ISP changes IP. This help me to only access SSH access from my VPS IP address, this increase security as no one else able to SSH to the server.

    To force all my SSH connection to use ProxyJump, i edit file

    vi ~/.ssh/config

    Added

    Host * !ok.serverok.in !51.38.246.115 !192.168.1.?
    ProxyJump [email protected]:3333

    In above Host * will match all hosts, so whenever you try to SSH to a server, it will use ProxyJump. I specified some host with !, this will exclude those host from using ProxyJump. One of which is the Jump Host itself, it is important you exclude Jump Host or it will cause a loop and won’t work. You may also need to add your Local IP address.

    See SSH

  • Stop SSH bruteforce with endlessh

    Endlessh is an open source SSH trapit. It send slow random banner string to attacker, wasting their time.

    Before you install endlessh, you need to change your SSH port to a higher non default port. To do this edit 

    vi /etc/ssh/sshd_config

    Find 

    Port 22

    Replace with

    Port YOUR_NEW_PORT_HERE

    If the line is commented with #, uncomment it.

    Now you can install endlessh with

    cd /usr/local/src
git clone https://github.com/skeeto/endlessh
cd /usr/local/src/endlessh
make
cp endlessh /usr/local/bin
cp /usr/local/src/endlessh/util/endlessh.service /etc/systemd/system/

    By default endlessh run on port 2222. To change it to port 22, edit file

    vi /etc/systemd/system/endlessh.service

    Find

    #AmbientCapabilities=CAP_NET_BIND_SERVICE

    Replace with

    AmbientCapabilities=CAP_NET_BIND_SERVICE

    Find

    PrivateUsers=true

    Replace with

    #PrivateUsers=true

    Run

    setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh

    Create endlessh configuration file

    vi /etc/endlessh/config

    Add following content

    Port 22
Delay 10000
MaxLineLength 32
MaxClients 4096
LogLevel 0
BindFamily 0

    If you need to enable log, set LogLevel to 1.

    Enable and restart endlessh

    systemctl enable endlessh
systemctl start endlessh

  • SSH Too many authentication failures

    When i ssh into a server, i get following error

    root@lab:~# ssh [email protected] -p 3333
Received disconnect from 14.18.58.78: 2: Too many authentication failures
root@lab:~#

    I checked server log (/var/log/auth.log) and found following

    Nov 13 19:06:42 lab sshd[32030]: error: maximum authentication attempts exceeded for root from 188.40.131.92 port 52956 ssh2 [preauth]
Nov 13 19:06:42 lab sshd[32030]: Disconnecting: Too many authentication failures [preauth]

    This error happens when you have several SSH keys. When you try to connect to remote server, ssh client try to autenticate to remote server using SSH keys present on your computer. If you have several keys, ssh client make that much login attempts if the keys are valid for remote server you are trying to login.

    ssh server deamon have a settings MaxAuthTries. Default value for this settings is 6. If number of invalid login attempt exceeds the value of MaxAuthTries, you will get above error.

    You can see all SSH keys on your computer with

    ssh-add -l

    If you have many keys, consider removing some of the keys from agent using ssh-add command.

    To fix this error edit file

    vi /etc/ssh/sshd_config

    Check if the file have entry for MaxAuthTries, if yes, increase its value. If no entry present in the server add it.

    MaxAuthTries 8

    Restart sshd service.

    systemctl restart sshd

    You can see how many login attemts you make using ssh -v option (verbose).

    root@server12:~# ssh -v [email protected] -p 3333
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 174.138.58.78 [174.138.58.78] port 3333.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '[174.138.58.78]:3333' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:139
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/boby/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: boby@hon-pc-01
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: redbridgefinance-mumbai
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: aws-eb
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: aws-austin-boby
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
Received disconnect from 174.138.58.78: 2: Too many authentication failures
root@server12:~#

    See SSH

  • SSH Tunnel

    If you have a server with SSH access, you can use it as sock 5 proxy or for port forwarding with just ssh access.

    Socks5 Proxy

    SSH tunnel can be used for browsing security. It act like a socks5 proxy.

    ssh root@SERVER_IP -D 7373

    OR

    ssh -f -N root@REMOTE_SERVER_IP -D 7373

    SERVER_IP is IP of the remote server, that you will be using as sock 5 server.

    You can configure your browser to use sock5 proxy with IP address 127.0.0.1 and port 7373. You can change port by changing port in above commands.

    -N = Do not execute a remote command. This is useful for just forwarding ports.
    -f = go into background mode.

    Forwarding Remote Port to local

    You have a remote server that run a service on some port, that is not accessable to public. This is useful for services like MySQL, redis that is bind to 127.0.0.1 by default for security reason.

    ssh -L 9999:127.0.0.1:3306 root@REMOTE_SERVER_IP

    Example

    ssh -L 9999:127.0.0.1:3306 [email protected]

    MYSQL running on remote server will be available on port 9999 on local computer.

    You can add -f -N option in cause you need above ssh command run in background.

    Forwarding local port to remote server

    Lets say you have a local web site running on your computer, you need to show this to your customer. You can’t make the web site from your computer as you are behind NAT network and your router don’t support port forwarding.

    To forward local port to remote server, run

    ssh -R REMOTE_PORT:localhost:LOCAL_PORT root@REMOTE_SERVER_IP

    Example

    ssh -R 8080:localhost:80 [email protected]

    Service running on port 80 on local computer will be available on remote server on port 8080. Your customer can view the web site using url REMOTE_SERVER_IP:8080

    See SSH, SSH Port Forwarding

  • Disable sshd start on boot in ubuntu

    On my local computer, i have installed openssh-server, but i don’t want it always enabled.

    To disable openssh-server from auto start on boot, run

    systemctl disable ssh

    Example

    root@lab:~# systemctl disable ssh
Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable ssh
Removed /etc/systemd/system/sshd.service.
Removed /etc/systemd/system/multi-user.target.wants/ssh.service.
root@lab:~#

    If you want to start ssh server on boot, run systelctl enable ssh

    root@lab:~# systemctl enable ssh
Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ssh
Created symlink /etc/systemd/system/sshd.service → /lib/systemd/system/ssh.service.
Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /lib/systemd/system/ssh.service.
root@lab:~#

    See Ubuntu

  • Email Alert When User Login Using SSH

    On web servers, you may need to get email alert when someone logs in to your server using SSH. To do this edit file

    vi ~/.bashrc

    Add

    echo "ALERT - Bash shell access by user \"`whoami`\" to server $HOSTNAME  on  `date` "  | mail -s  "Alert:  Shell access detected from user \"`whoami`\" from IP_Address: `who | cut -d"(" -f2 | cut -d")" -f1`" [email protected]

    In above, replace [email protected] with your actual email address. You need a mail server installed on your server for this to work.

    If you want to log to a file, add

    echo 'ALERT - Root Shell Access (' `hostname` ') on:' `date` `who` >> /var/log/user-logins

    See SSH

  • SSH Port Forwarding

    On a remote server, we have an application running on 127.0.0.1:8010. Since the application is listening on internal IP address 127.0.0.1, we can’t access it remotely. To access this application, we can use SSH port forwarding.

    ssh -L 8010:127.0.0.1:8010 [email protected] -p 3333

    In above example, application running on server lab.serverok.in is available on my local computer at

    http://127.0.0.1:8010

  • SSH Remember Passphrase

    When i connect to remote server using SSH using private key, it ask for passphrase every time.

    root@admin:~# ssh [email protected]
Enter passphrase for key '/root/.ssh/id_rsa': 

root@admin:~#

    I want it only ask once, then remember it.

    To do this, you need to run

    eval `ssh-agent -s`
ssh-add

    When you run “ssh-add” command, it ask for your passphrase. Now you will be able to use your SSH Key with out getting promoted for passphrase.

    See ssh

  • SSH

    SSH Connection Errors

    SSH ProxyJump (Jump Host/bastion host)

    SSH Errors

    SSH Protect

    SSH Configuration Options

    AllowUsers admin

    Only allow a specific user to login.

    DenyGroups customers

    Deny SSH access to a Group. You can add multiple groups separated by space.

    ClientAliveInterval 120

    Disconnect if the client is inactive for 120 seconds.

  • Force SSH client to use Password Authentication

    Some times you may need to test if password authentication works for SSH and you have SSH key authentication already set.

    You can comment out your SSH key from ~/.ssh/authorized_keys to do this. Another solution is to use

    ssh -o PreferredAuthentications=password USER@SERVER_IP

    To disable Public key authentication, use

    -o PubkeyAuthentication=no

    ssh