Tag: ssh

  • SSH no hostkey alg

    SSH no hostkey alg

    When connecting to an Ubuntu 24.04 server from CentOS 6 server, i got error “no hostkey alg”

    root@server12:~# ssh [email protected]
    no hostkey alg
    root@server12:~#

    To fix this error, edit /etc/ssh/sshd_config on Ubuntu server and add followng to end of the file

    HostKeyAlgorithms +ssh-rsa,ssh-dss
    PubkeyAcceptedKeyTypes +ssh-rsa,ssh-dss

    Restart ssh service on Ubuntu

    systemctl restart ssh

    Now you should be able to connect to Ubuntu server from CentOS 6 using SSH. If you are using ssh key auth, use RSA key, newer keys like ed25519 won’t work and result in following error message

    root@server12:~# ssh [email protected]
    key_from_blob: remaining bytes in key blob 36
    key_to_blob: unsupported key type 11
    Permission denied (publickey).
    root@server12:~# 

    Once the ile transfer is done, edit /etc/ssh/sshd_config on ubuntu server and remove the older (less secure) algorithms.

    Back to ssh

  • How to change the SSH Port in Linux

    How to change the SSH Port in Linux

    By default SSH service runs on port 22. Running SSH service on port 22 is not secure as it can become an easy target for attackers who are scanning the network for open ports. By changing the default port, you can make it more difficult for attackers to find and exploit the SSH service.

    To change SSH port, edit file

    vi /etc/ssh/sshd_config
    

    In the file, find the line

    Port 22
    

    Change 22 to whatever port number you want. It is better to use a higher port number so it will be difficult for hackers to find.

    Restart SSH service

    On Debian/Ubuntu

    systemctl restart ssh
    

    On RHEL-based Linux (AlmaLinux, RockeyLinux, Oracle Linux, CentOS)

    systemctl restart sshd
    

    If you have a firewall, make sure you open the new port in the firewall.

    See ssh

  • SSH Server refused our key

    SSH Server refused our key

    I got the following error when logging in to a server using SSH key authentication.

    Server refused our key
    

    I checked the log file

    tail /var/log/secure
    

    found following error

    May 11 17:45:31 server58 sshd[18483]: Authentication refused: bad ownership or modes for file /home/video/.ssh/authorized_keys
    

    The problem is fixed by setting proper permission for the .ssh folder and key file.

    chmod 600 ~/.ssh
    chmod 600 ~/.ssh/authorized_keys
    

    See SSH

  • Force all SSH connection through Jump Host

    I want all my SSH connection go through a VPS so my IP address stay same even if my ISP changes IP. This help me to only access SSH access from my VPS IP address, this increase security as no one else able to SSH to the server.

    To force all my SSH connection to use ProxyJump, i edit file

    vi ~/.ssh/config
    

    Added

    Host * !ok.serverok.in !51.38.246.115 !192.168.1.?
        ProxyJump [email protected]:3333
    

    In above Host * will match all hosts, so whenever you try to SSH to a server, it will use ProxyJump. I specified some host with !, this will exclude those host from using ProxyJump. One of which is the Jump Host itself, it is important you exclude Jump Host or it will cause a loop and won’t work. You may also need to add your Local IP address.

    See SSH

  • Stop SSH bruteforce with endlessh

    Endlessh is an open source SSH trapit. It send slow random banner string to attacker, wasting their time.

    Before you install endlessh, you need to change your SSH port to a higher non default port. To do this edit

    vi /etc/ssh/sshd_config
    

    Find

    Port 22
    

    Replace with

    Port YOUR_NEW_PORT_HERE
    

    If the line is commented with #, uncomment it.

    Now you can install endlessh with

    cd /usr/local/src
    git clone https://github.com/skeeto/endlessh
    cd /usr/local/src/endlessh
    make
    cp endlessh /usr/local/bin
    cp /usr/local/src/endlessh/util/endlessh.service /etc/systemd/system/
    

    By default endlessh run on port 2222. To change it to port 22, edit file

    vi /etc/systemd/system/endlessh.service
    

    Find

    #AmbientCapabilities=CAP_NET_BIND_SERVICE
    

    Replace with

    AmbientCapabilities=CAP_NET_BIND_SERVICE
    

    Find

    PrivateUsers=true
    

    Replace with

    #PrivateUsers=true
    

    Run

    setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh
    

    Create endlessh configuration file

    vi /etc/endlessh/config
    

    Add following content

    Port 22
    Delay 10000
    MaxLineLength 32
    MaxClients 4096
    LogLevel 0
    BindFamily 0
    

    If you need to enable log, set LogLevel to 1.

    Enable and restart endlessh

    systemctl enable endlessh
    systemctl start endlessh
    
  • SSH Too many authentication failures

    When i ssh into a server, i get following error

    root@lab:~# ssh [email protected] -p 3333
    Received disconnect from 14.18.58.78: 2: Too many authentication failures
    root@lab:~#
    

    I checked server log (/var/log/auth.log) and found following

    Nov 13 19:06:42 lab sshd[32030]: error: maximum authentication attempts exceeded for root from 188.40.131.92 port 52956 ssh2 [preauth]
    Nov 13 19:06:42 lab sshd[32030]: Disconnecting: Too many authentication failures [preauth]
    

    This error happens when you have several SSH keys. When you try to connect to remote server, ssh client try to autenticate to remote server using SSH keys present on your computer. If you have several keys, ssh client make that much login attempts if the keys are valid for remote server you are trying to login.

    ssh server deamon have a settings MaxAuthTries. Default value for this settings is 6. If number of invalid login attempt exceeds the value of MaxAuthTries, you will get above error.

    You can see all SSH keys on your computer with

    ssh-add -l
    

    If you have many keys, consider removing some of the keys from agent using ssh-add command.

    To fix this error edit file

    vi /etc/ssh/sshd_config
    

    Check if the file have entry for MaxAuthTries, if yes, increase its value. If no entry present in the server add it.

    MaxAuthTries 8
    

    Restart sshd service.

    systemctl restart sshd
    

    You can see how many login attemts you make using ssh -v option (verbose).

    root@server12:~# ssh -v [email protected] -p 3333
    OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
    debug1: Reading configuration data /root/.ssh/config
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to 174.138.58.78 [174.138.58.78] port 3333.
    debug1: Connection established.
    debug1: permanently_set_uid: 0/0
    debug1: identity file /root/.ssh/identity type -1
    debug1: identity file /root/.ssh/identity-cert type -1
    debug1: identity file /root/.ssh/id_rsa type 1
    debug1: identity file /root/.ssh/id_rsa-cert type -1
    debug1: identity file /root/.ssh/id_dsa type -1
    debug1: identity file /root/.ssh/id_dsa-cert type -1
    debug1: identity file /root/.ssh/id_ecdsa type -1
    debug1: identity file /root/.ssh/id_ecdsa-cert type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
    debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.8 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.3
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-sha1 none
    debug1: kex: client->server aes128-ctr hmac-sha1 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host '[174.138.58.78]:3333' is known and matches the RSA host key.
    debug1: Found key in /root/.ssh/known_hosts:139
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password
    debug1: Next authentication method: publickey
    debug1: Offering public key: /home/boby/.ssh/id_rsa
    debug1: Authentications that can continue: publickey,password
    debug1: Offering public key: boby@hon-pc-01
    debug1: Authentications that can continue: publickey,password
    debug1: Offering public key: redbridgefinance-mumbai
    debug1: Authentications that can continue: publickey,password
    debug1: Offering public key: aws-eb
    debug1: Authentications that can continue: publickey,password
    debug1: Offering public key: aws-austin-boby
    debug1: Authentications that can continue: publickey,password
    debug1: Trying private key: /root/.ssh/identity
    debug1: Offering public key: /root/.ssh/id_rsa
    Received disconnect from 174.138.58.78: 2: Too many authentication failures
    root@server12:~# 
    

    See SSH

  • SSH Tunnel

    If you have a server with SSH access, you can use it as sock 5 proxy or for port forwarding with just ssh access.

    Socks5 Proxy

    SSH tunnel can be used for browsing security. It act like a socks5 proxy.

    ssh root@SERVER_IP -D 7373

    OR

    ssh -f -N root@REMOTE_SERVER_IP -D 7373

    SERVER_IP is IP of the remote server, that you will be using as sock 5 server.

    You can configure your browser to use sock5 proxy with IP address 127.0.0.1 and port 7373. You can change port by changing port in above commands.

    -N = Do not execute a remote command. This is useful for just forwarding ports.
    -f = go into background mode.

    Forwarding Remote Port to local

    You have a remote server that run a service on some port, that is not accessable to public. This is useful for services like MySQL, redis that is bind to 127.0.0.1 by default for security reason.

    ssh -L 9999:127.0.0.1:3306 root@REMOTE_SERVER_IP

    Example

    ssh -L 9999:127.0.0.1:3306 [email protected]

    MYSQL running on remote server will be available on port 9999 on local computer.

    You can add -f -N option in cause you need above ssh command run in background.

    Forwarding local port to remote server

    Lets say you have a local web site running on your computer, you need to show this to your customer. You can’t make the web site from your computer as you are behind NAT network and your router don’t support port forwarding.

    To forward local port to remote server, run

    ssh -R REMOTE_PORT:localhost:LOCAL_PORT root@REMOTE_SERVER_IP

    Example

    ssh -R 8080:localhost:80 [email protected]

    Service running on port 80 on local computer will be available on remote server on port 8080. Your customer can view the web site using url REMOTE_SERVER_IP:8080

    See SSH, SSH Port Forwarding

  • Disable sshd start on boot in ubuntu

    On my local computer, i have installed openssh-server, but i don’t want it always enabled.

    To disable openssh-server from auto start on boot, run

    systemctl disable ssh
    

    Example

    root@lab:~# systemctl disable ssh
    Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install.
    Executing: /lib/systemd/systemd-sysv-install disable ssh
    Removed /etc/systemd/system/sshd.service.
    Removed /etc/systemd/system/multi-user.target.wants/ssh.service.
    root@lab:~# 
    

    If you want to start ssh server on boot, run systelctl enable ssh

    root@lab:~# systemctl enable ssh
    Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install.
    Executing: /lib/systemd/systemd-sysv-install enable ssh
    Created symlink /etc/systemd/system/sshd.service → /lib/systemd/system/ssh.service.
    Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /lib/systemd/system/ssh.service.
    root@lab:~# 
    

    See Ubuntu

  • Email Alert When User Login Using SSH

    On web servers, you may need to get email alert when someone logs in to your server using SSH. To do this edit file

    vi ~/.bashrc

    Add

    echo "ALERT - Bash shell access by user \"`whoami`\" to server $HOSTNAME  on  `date` "  | mail -s  "Alert:  Shell access detected from user \"`whoami`\" from IP_Address: `who | cut -d"(" -f2 | cut -d")" -f1`" [email protected]

    In above, replace [email protected] with your actual email address. You need a mail server installed on your server for this to work.

    If you want to log to a file, add

    echo 'ALERT - Root Shell Access (' `hostname` ') on:' `date` `who` >> /var/log/user-logins

    See SSH

  • SSH Port Forwarding

    On a remote server, we have an application running on 127.0.0.1:8010. Since the application is listening on internal IP address 127.0.0.1, we can’t access it remotely. To access this application, we can use SSH port forwarding.

    ssh -L 8010:127.0.0.1:8010 [email protected] -p 3333
    

    In above example, application running on server lab.serverok.in is available on my local computer at

    http://127.0.0.1:8010
    
  • SSH Remember Passphrase

    When i connect to remote server using SSH using private key, it ask for passphrase every time.

    root@admin:~# ssh [email protected]
    Enter passphrase for key '/root/.ssh/id_rsa': 
    
    root@admin:~# 
    

    I want it only ask once, then remember it.

    To do this, you need to run

    eval `ssh-agent -s`
    ssh-add
    

    When you run “ssh-add” command, it ask for your passphrase. Now you will be able to use your SSH Key with out getting promoted for passphrase.

    See ssh