SSH

From Bibliotheca Anonoma
Revision as of 14:46, 30 January 2018 by Antonizoon (talk | contribs) (Created page with "'''OpenSSH''' is a suite of programs that make remote access to servers secure, encrypted, and simple. An SSH server runs on the remote machine, and an SSH client runs on the...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

OpenSSH is a suite of programs that make remote access to servers secure, encrypted, and simple. An SSH server runs on the remote machine, and an SSH client runs on the accessor.

  • Secure Shell ssh - Client for Shell access to a remote machine.
  • Secure Shell Server sshd - Server for remote Shell access to the current machine.
  • sftp - An FTP-style server to copy files between computers.

Installation

If you're using Raspbian on the RPi, the SSH server is automatically set up. Otherwise, you must install it.

Make sure to install ufw as the primary firewall and allow it with this command:

sudo ufw allow ssh

Next, install openssh:

sudo apt-get install openssh-server 

Configure SSH by editing the SSH config file:

sudo nano /etc/ssh/sshd_config (use CTRL + x to save and exit)

SFTP

The SSH server provides a secure, easy-to-use alternative to FTP transfer. Just install SSH, and the server works out of the box, through the SSH port.

Then, on a FTP Client such as Filezilla, just set SFTP and connect, and you're done.

Of course, since encrypted data is sent a bit slower, good ol' FTP connection might be worth the trouble for unclassified files. Or you can try Barracuda Drive WebDAV.

SSH Tunneling

SSH Tunneling makes it possible to use your home network as a secure proxy server.

This way, you can use it to bypass network restrictions (such as anti-torrent policies), or access the internet in a safe, encrypted manner (to keep your browsing packets secret at Starbucks unsecured WiFi).

On the SSH Server, edit the /etc/ssh/sshd_config and add this line at the end to enable SSH Tunneling:

AllowTcpForwarding  yes

Run this command in a Linux terminal to start SSH Tunneling (add your own username and server address):

ssh -D 9999 [email protected] 

Login to the SSH session, and a terminal session will begin. SSH Tunneling has also been enabled.

To use SSH Tunneling, point your browser's SOCKS proxy settings at 127.0.0.1:9999. On Firefox, for example:

To tunnel other programs (torrent clients, Skype, etc.) you can also set their SOCKS proxy settings to 127.0.0.1:9999.

X11 Forwarding

SSH has a little known feature that allows it to transmit a graphical X11 session over SSH as well, so you can run graphical applications (only if you're using Linux or Mac).

First, on your SSH server, edit the /etc/ssh/sshd_config file, and uncomment the following line:

   X11Forwarding Yes

Now, as a client session, add the -X argument to the SSH command to access the server with X11 privileges.

   ssh -X [email protected]

Check that the X11 transmission is actually working by looking at the $DISPLAY variable

   echo $DISPLAY

You should receive output stating something like localhost:10.0. If not, check your server's configuration.

You can now send a command to run any X11 application and it will appear on your computer. Such as xclock. Though it might not be feasible to transmit gigantic applications, such as Firefox, so try lighter browsers such as Midori.

I usually do SSH X11 Forwarding to access the local network's router administration console, which is not accessible to the public internet. However, this can be horrifically slow if you are far away from the router, so SSH Tunneling is strongly recommended instead.

Reverse SSH Tunneling

If your server is behind a NAT or firewall and you are unable to port forward it (such as in college, or anywhere where there is no administrative access to the router), you can build a reverse SSH tunnel to administer the server instead. (Of course, make sure that your admin is alright with it...)

To keep the reverse SSH tunnel alive on the go, you can use Autossh, steps here.

Port Knocking

Leaving an SSH server out in the open can be problematic, One method sysadmins use to obscure the SSH port is to change it to something that isn't 22. But security through obscurity is no security at all.

A better solution is to require the user to provide a secret "knock": meaning, a procedure, such as sending packets to certain ports within 4 seconds. This way, an ordinary SSH client trying to ping port 22 would not even know that the service existed there.

The major downside is that SSH clients that do not support this procedure, such as mobile clients and PuTTY, will not work anymore.

https://www.marksanborn.net/linux/add-port-knocking-to-ssh-for-extra-security/