SSH
OpenSSH is a suite of programs that make remote access to servers secure, encrypted, and simple. An SSH server runs on the remote machine, and an SSH client runs on the accessor.
- Secure Shell
ssh
- Client for Shell access to a remote machine. - Secure Shell Server
sshd
- Server for remote Shell access to the current machine. - sftp - An FTP-style server to copy files between computers.
Installation
If you're using Raspbian on the RPi, the SSH server is automatically set up. Otherwise, you must install it.
Make sure to install ufw
as the primary firewall and allow it with this command:
sudo ufw allow ssh
Next, install openssh:
sudo apt-get install openssh-server
Configure SSH by editing the SSH config file:
sudo nano /etc/ssh/sshd_config (use CTRL + x to save and exit)
SFTP
The SSH server provides a secure, easy-to-use alternative to FTP transfer. Just install SSH, and the server works out of the box, through the SSH port.
Then, on a FTP Client such as Filezilla, just set SFTP and connect, and you're done.
Of course, since encrypted data is sent a bit slower, good ol' FTP connection might be worth the trouble for unclassified files. Or you can try Barracuda Drive WebDAV.
SSH Tunneling
SSH Tunneling makes it possible to use your home network as a secure proxy server.
This way, you can use it to bypass network restrictions (such as anti-torrent policies), or access the internet in a safe, encrypted manner (to keep your browsing packets secret at Starbucks unsecured WiFi).
On the SSH Server, edit the /etc/ssh/sshd_config
and add this line at the end to enable SSH Tunneling:
AllowTcpForwarding yes
Run this command in a Linux terminal to start SSH Tunneling (add your own username and server address):
ssh -D 9999 [email protected]
Login to the SSH session, and a terminal session will begin. SSH Tunneling has also been enabled.
To use SSH Tunneling, point your browser's SOCKS proxy settings at 127.0.0.1:9999
. On Firefox, for example:
To tunnel other programs (torrent clients, Skype, etc.) you can also set their SOCKS proxy settings to 127.0.0.1:9999
.
X11 Forwarding
SSH has a little known feature that allows it to transmit a graphical X11 session over SSH as well, so you can run graphical applications (only if you're using Linux or Mac).
First, on your SSH server, edit the /etc/ssh/sshd_config
file, and uncomment the following line:
X11Forwarding Yes
Now, as a client session, add the -X
argument to the SSH command to access the server with X11 privileges.
ssh -X [email protected]
Check that the X11 transmission is actually working by looking at the $DISPLAY
variable
echo $DISPLAY
You should receive output stating something like localhost:10.0
. If not, check your server's configuration.
You can now send a command to run any X11 application and it will appear on your computer. Such as xclock
. Though it might not be feasible to transmit gigantic applications, such as Firefox, so try lighter browsers such as Midori.
I usually do SSH X11 Forwarding to access the local network's router administration console, which is not accessible to the public internet. However, this can be horrifically slow if you are far away from the router, so SSH Tunneling is strongly recommended instead.
Reverse SSH Tunneling
If your server is behind a NAT or firewall and you are unable to port forward it (such as in college, or anywhere where there is no administrative access to the router), you can build a reverse SSH tunnel to administer the server instead. (Of course, make sure that your admin is alright with it...)
To keep the reverse SSH tunnel alive on the go, you can use Autossh, steps here.
- Mark Sanborn - Bypass Firewall and NAT with Reverse SSH Tunnel
- AskUbuntu - SSH without opening the ports
Port Knocking
Leaving an SSH server out in the open can be problematic, One method sysadmins use to obscure the SSH port is to change it to something that isn't 22. But security through obscurity is no security at all.
A better solution is to require the user to provide a secret "knock": meaning, a procedure, such as sending packets to certain ports within 4 seconds. This way, an ordinary SSH client trying to ping port 22 would not even know that the service existed there.
The major downside is that SSH clients that do not support this procedure, such as mobile clients and PuTTY, will not work anymore.
https://www.marksanborn.net/linux/add-port-knocking-to-ssh-for-extra-security/
Monitor Failed SSH Attempts
http://www.reddit.com/r/linux/comments/42v79z/i_redirected_a_hackers_ssh/czdrcnj