SSH

OpenSSH is a suite of programs that make remote access to servers secure, encrypted, and simple. An SSH server runs on the remote machine, and an SSH client runs on the accessor.


 * Secure Shell  - Client for Shell access to a remote machine.
 * Secure Shell Server  - Server for remote Shell access to the current machine.
 * sftp - An FTP-style server to copy files between computers.

Installation
If you're using Raspbian on the RPi, the SSH server is automatically set up. Otherwise, you must install it.

Make sure to install as the primary firewall and allow it with this command:

sudo ufw allow ssh Next, install openssh:

sudo apt-get install openssh-server Configure SSH by editing the SSH config file:

sudo nano /etc/ssh/sshd_config (use CTRL + x to save and exit)
 * Ubuntu - SSH/OpenSSH/Configuring

SFTP
The SSH server provides a secure, easy-to-use alternative to FTP transfer. Just install SSH, and the server works out of the box, through the SSH port.

Then, on a FTP Client such as Filezilla, just set SFTP and connect, and you're done.

Of course, since encrypted data is sent a bit slower, good ol' FTP connection might be worth the trouble for unclassified files. Or you can try Barracuda Drive WebDAV.


 * Raspberry Pi Documentation - SFTP

SSH Tunneling
SSH Tunneling makes it possible to use your home network as a secure proxy server.

This way, you can use it to bypass network restrictions (such as anti-torrent policies), or access the internet in a safe, encrypted manner (to keep your browsing packets secret at Starbucks unsecured WiFi).

On the SSH Server, edit the  and add this line at the end to enable SSH Tunneling:

AllowTcpForwarding yes Run this command in a Linux terminal to start SSH Tunneling (add your own username and server address):

ssh -D 9999 YourUsername@YourServerOrIP.domain Login to the SSH session, and a terminal session will begin. SSH Tunneling has also been enabled.

To use SSH Tunneling, point your browser's SOCKS proxy settings at. On Firefox, for example:



To tunnel other programs (torrent clients, Skype, etc.) you can also set their SOCKS proxy settings to.

X11 Forwarding
SSH has a little known feature that allows it to transmit a graphical X11 session over SSH as well, so you can run graphical applications (only if you're using Linux or Mac).

First, on your SSH server, edit the  file, and uncomment the following line:

X11Forwarding Yes Now, as a client session, add the  argument to the SSH command to access the server with X11 privileges.

ssh -X user@example.org Check that the X11 transmission is actually working by looking at the  variable

echo $DISPLAY You should receive output stating something like. If not, check your server's configuration.

You can now send a command to run any X11 application and it will appear on your computer. Such as. Though it might not be feasible to transmit gigantic applications, such as Firefox, so try lighter browsers such as Midori.

I usually do SSH X11 Forwarding to access the local network's router administration console, which is not accessible to the public internet. However, this can be horrifically slow if you are far away from the router, so SSH Tunneling is strongly recommended instead.


 * ITG Indiana - Configuring OpenSSH with X11 Support

Reverse SSH Tunneling
If your server is behind a NAT or firewall and you are unable to port forward it (such as in college, or anywhere where there is no administrative access to the router), you can build a reverse SSH tunnel to administer the server instead. (Of course, make sure that your admin is alright with it...)

To keep the reverse SSH tunnel alive on the go, you can use Autossh, steps here.


 * Mark Sanborn - Bypass Firewall and NAT with Reverse SSH Tunnel
 * AskUbuntu - SSH without opening the ports

Port Knocking
Leaving an SSH server out in the open can be problematic, One method sysadmins use to obscure the SSH port is to change it to something that isn't 22. But security through obscurity is no security at all.

A better solution is to require the user to provide a secret &quot;knock&quot;: meaning, a procedure, such as sending packets to certain ports within 4 seconds. This way, an ordinary SSH client trying to ping port 22 would not even know that the service existed there.

The major downside is that SSH clients that do not support this procedure, such as mobile clients and PuTTY, will not work anymore.

https://www.marksanborn.net/linux/add-port-knocking-to-ssh-for-extra-security/