Ask the Expert

Setting up SSH for remote, secure server access

Can you offer some tips for setting up an SSH service so I can get secure, remote access to my server?

    Requires Free Membership to View

It would help to know on what platform you'd like to set up SSH on, but I can provide some general tips.

  • Use only SSH V2 -- V1 is vulnerable to compromise. On Linux, this is usually done by default and managed in your /etc/ssh/sshd_config file by the Protocols option.
  • Don't allow root or Administrators to log in directly. Only normal users should be allowed to log in and then if required they can escalate their privileges by using su or sudo. On Linux this is controlled, again in the sshd_config file, by the PermitRootLogin option.
  • Ensure you use suitable authentication, for example passwords or keys.
  • Try to avoid using port 22 for your SSH connections. Automated brute force attack tools are commonly used by attackers to scan port 22 and try to brute usernames and passwords. Changing the port to something else, for example 2222, is a quick and simple way of reducing this risk. Alternatively, if you must use port 22, you can use tools like BlockSSHD (Note: I am the author of this tool) or Fail2Ban to block excessive or inappropriate login attempts.
  • Ensure you have configured suitable logging of your SSH daemon and that you review your logs for illicit login attempts. Ttools like Swatch and SEC can assist with this.
  • Only bind SSH to the addresses required. If you have multiple interfaces in your host, for example an interface on your internal network and another on an external network such as the Internet, then only bind the daemon to the interface through which you need to connect. This is controlled on Linux using the ListenAddress option.
I hope that helps.

This was first published in July 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: