SSH (Secure Shell) enables the connection to a remote cloud server using either a command-line or GUI client. It is a network protocol utilized by various applications such as scp and rsync. Scp allows for the copying of files between hosts on a network, while rsync leverages SSH to transfer files and folders between a local and remote host, specifically handling those that have been modified since the last transfer. Rsync proves to be an efficient method for backing up entire projects.
This guide provides instructions on configuring SSH on both a local host and a remote mCloud host. It covers various topics including preventing unintentional login lockouts and addressing the following aspects:
- Setting up key-based authentication for the local host SSH client.
- Restricting root login and disabling password authentication.
- Configuring an alternative port number to minimize unauthorized login attempts.
- Implementing fail2ban to decrease the risk of brute-force attacks.
- Configuring SSH Agent Forwarding for Non-Root Users.
- Understanding and utilizing SSH Tunneling.
- Employing scp to copy files between hosts.
- Utilizing rsync for backing up files and folders.
This guide assumes the usage of the OpenSSH ssh command-line client, which is typically available on Unix-like systems including macOS and Linux. For Windows users, the guide suggests utilizing the Windows Subsystem for Linux on a Windows 10/11 PC to access the OpenSSH ssh client.
Configure the Local Host SSH Client
1. Install SSH keypair
$ ssh-keygen -t ed25519 -C "hostname"Frequently, the -C key comment in SSH is utilized to specify an email address. Nevertheless, it's important to note that the key comment can consist of any text. One useful practice is to set it as your hostname to aid in organizing and identifying the SSH keys associated with each host. When saving the key pair for each host, it is crucial to use distinct filenames to avoid confusion. Additionally, it is recommended to enter a passphrase when prompted for enhanced security.
Please ensure that you securely copy and paste your passphrase when prompted. Remember that the passphrase will not be visible as you enter it for security reasons. It's worth noting that entering a filename is optional, and if omitted, the default filename ~/.ssh/id_ed25519 will be used. However, it is highly recommended to create a unique key pair for each host to maintain better security practices and organization.
To install your SSH key on an existing mCloud server, you can utilize the ssh-copy-id command. This command is used to install the public SSH key in the ~/.ssh/authorized_keys file on your mCloud host. When prompted, please enter your host user password to complete the process.
ssh-copy-id -i ~/.ssh/id_ed25519 username@hostnamePlease note that when connecting to a server for the first time, you may encounter an "The authenticity of host" message. In this case, it is necessary to answer "yes" to continue connecting.
Regarding the example SSH command provided, it is important to mention that it may not work unless you are using the default identity filename, which is ~/.ssh/id_ed25519. If you have customized the filename or are using a different key, please adjust the command accordingly.
If you have previously used SSH to log into your server and have recently reinstalled it, you might encounter an error message indicating that the key has changed. In such cases, it is recommended to delete the previous entry in the ~/.ssh/known_hosts file and then run the SSH command again.
To verify that you can log into your server using your SSH key, please execute the following command:
ssh -i ~/.ssh/id_ed25519 <username>@<hostname>
Replace <username> with your actual username on the server and <hostname> with the hostname or IP address of your server.
This command uses the -i option to specify the identity file, which is set to the default filename~/.ssh/id_ed25519. If you have a different key filename or path, please adjust the command accordingly.
By running this command, you will attempt to establish an SSH connection to the server using your SSH key as the authentication method. If everything is set up correctly, you should be able to log in without being prompted for a password.
2. Create a local SSH Configuration File
You can create an SSH configuration file to store SSH options for hosts and users, making it easier to connect to servers by simplifying the SSH command line. Additionally, you can define host aliases to avoid entering the fully qualified domain name (FQDN) each time. The SSH configuration file can contain both global and per-host options.
Here's an example of a ~/.ssh/config file for the example server:
Host vm-host
Hostname vm-host.example.com
User <username>
IdentityFile ~/.ssh/user123_ed25519In this example, vm-host is the host alias that you can use instead of the fully qualified domain name (vm-host.example.com). <username> should be replaced with your actual username on the server.
The IdentityFile option specifies the path to your private key file for this host.
You can add more configuration options to customize your SSH connection, such as specifying the port, enabling compression, or setting up SSH tunneling. The ~/.ssh/config file allows you to define different configurations for various hosts and easily switch between them.
When connecting to the default user on the server, just do:
ssh user123Restrict the root Login and Disable Password Authentication
It is generally considered a security best practice to disable direct root login via SSH. Allowing the root user to log in directly via SSH poses a higher security risk, as it provides potential attackers with a privileged account to target.
Before restricting root SSH access and disabling password authentication, we need to create a regular user with sudo privileges.
To create a regular user and grant them sudo permissions, follow these steps:
Log into your root account on the server. Then, create a new user using the adduser command. For example:
root@vm-host:~# adduser admin-userYou will be prompted to provide a secure password for the new user and fill in additional information as desired.
Add the user to the sudo group using the usermode command:
root@vm-host:~# usermod -aG sudo admin-userThis command adds the user admin-user to the sudo group, granting them sudo privileges.
Verify that you can log into the new user account. Open a new terminal session and run the following command:
ssh admin-user@vm-host.example.comReplace vm-host.exampl.com with the hostname or IP address of your server. Enter the password for the admin-user user when prompted.
Once logged in, you should see a command prompt indicating that you are logged in as the admin-user user.
Install the SSH public key for the new user. From your local machine, run the ssh-copy-id command:
ssh-copy-id -i ~/.ssh/user123_ed25519 admin-user@user123.example.comReplace vm-host.exampl.com with the hostname or IP address of your server. You will be prompted to enter the password for the admin-user user.
This command copies your SSH public key to the ~/.ssh/authorized_keys file in the home directory of the admin-user user on the server, allowing you to log in without entering a password in the future.
By following these steps, you will create a regular user, grant them sudo permissions, and configure SSH access for that user using SSH key authentication.
To restrict root access and disable password authentication, first log into your server as the root user. Then open the SSH server configuration file (/etc/ssh/sshd_config) in a text editor.
Locate the PermitRootLogin line and change it from:
PermitRootLogin yesto:
PermitRootLogin noThis change will prevent the root user from logging in directly via SSH.
Locate the PasswordAuthentication line and change it from:
#PasswordAuthentication yesto:
PasswordAuthentication noEnsure that you remove the '#' comment at the beginning of the line to enable the change.
Disabling password authentication will require the use of SSH key pairs for authentication.
Save the changes to the sshd_config file.
Restart the SSH daemon to apply the configuration changes. You can use the following command:
sudo systemctl restart sshdThis command will restart the SSH service on your server.
After making these changes, root login via SSH and password authentication will be disabled. You can test the changes by attempting to log in as the root user and the regular user from a host that does not have SSH authentication or has SSH authentication disabled.
The examples you provided show that root authentication fails, but the user account access works, which indicates that the changes have been applied successfully.
Configure an Alternate Port Number
Changing the SSH port number reduces the number of unauthorized login attempts. To configure an alternate port number for SSH, you can follow these steps:
Log into your server as the root user. Open the SSH server configuration file (/etc/ssh/sshd_config) in a text editor.
Locate the Port line, which specifies the default SSH port (usually port 22). If there is a `#` character at the beginning of the line, remove it to uncomment the line.
Change the port number to your desired alternate port. Choose a port number that is not commonly used by other services to reduce the risk of conflicts. For example, you can use port 2222:
Port 2222Save the changes to the sshd_config file.
Restart the SSH daemon to apply the configuration changes. You can use the following command:
user123@vm-host:~$ sudo systemctl restart sshdThis command will restart the SSH service on your server.
After configuring the alternate port number, SSH will listen on the specified port instead of the default port (22). Keep in mind the following considerations:
When connecting to the server via SSH from a client, you will need to specify the alternate port in the SSH command. For example:
ssh -p 2222 user@vm-host.example.comSome firewalls and network configurations might need to be updated to allow incoming connections on the new port. Ensure that the necessary firewall rules are adjusted accordingly.
By using an alternate port number, you can reduce the number of unauthorized login attempts, as most automated bots and attackers typically target the default SSH port (22) for their scanning and brute-force attacks.
