OpenSSH is a free and open-source suite of secure network utilities that enables secure remote login, remote file transfer, and secure tunneling over the internet. It is the de facto standard for remote access on Unix-like systems and is available on most Unix-like operating systems, including Linux, macOS, and FreeBSD.
OpenSSH provides several tools, including ssh (Secure Shell) for secure remote login, scp (Secure Copy) for secure file transfer, and ssh-keygen for generating and managing public-private key pairs for authentication. OpenSSH uses strong encryption algorithms and supports various authentication methods, including passwords, public keys, and Kerberos tickets. OpenSSH also supports X11 forwarding, TCP forwarding, and dynamic port forwarding, which allows users to securely tunnel TCP/IP traffic over an encrypted SSH connection. OpenSSH is a critical tool for secure remote access and file transfer on Unix-like systems.
Here's how you install OpenSSH on your Debian system (or Ubuntu)
Update the package index: Open a terminal and run the following command to update the package index:
sudo apt update
Install OpenSSH server: Run the following command to install the OpenSSH server:
sudo apt install openssh-server
This will install the OpenSSH server along with any required dependencies.
Check the status of the OpenSSH server: After the installation is complete, you can check the status of the OpenSSH server by running the following command:
sudo systemctl status ssh
This will display the current status of the OpenSSH server, including whether it is running or not.
Configure the OpenSSH server: By default, the OpenSSH server is already configured to work out-of-the-box. However, you may want to customize the configuration to better suit your needs. To do this, you can edit the /etc/ssh/sshd_config file using a text editor such as nano or vim.
For example, you may want to change the default port number from 22 to something else to improve security. To do this, find the following line in the /etc/ssh/sshd_config file:
Uncomment the line by removing the # character and change the port number to a different number, such as 2222:
Save the changes and exit the text editor.
5. Restart the OpenSSH server: After making changes to the configuration file, you need to restart the OpenSSH server to apply the changes. To do this, run the following command:
sudo systemctl restart ssh
This will restart the OpenSSH server and apply any changes made to the configuration file.
Changing the default port for OpenSSH from 22 to another port can be a good security practice to avoid automated attacks on the default port.
Once you have made these changes, you will need to specify the new port number when connecting to the SSH server. For example, if you changed the port to 2222, you would use the command
ssh user@hostname -p 2222 to connect to the server.
Now we will further secure SSH using fail2ban
Update package lists: Before installing any new package, it is always a good practice to update the package lists on your Debian system. You can do this by running the following command:
sudo apt-get update
Install Fail2ban: Once the package lists have been updated, you can proceed with the installation of Fail2ban by running the following command:
sudo apt-get install fail2ban
Configure Fail2ban: Once Fail2ban is installed, you need to configure it according to your needs. The main configuration file for Fail2ban is located at /etc/fail2ban/jail.conf. However, it is recommended that you do not modify this file directly. Instead, you should create a new configuration file at /etc/fail2ban/jail.d/ with a .local extension, such as /etc/fail2ban/jail.d/ssh.local.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Enable jails: Fail2ban uses jails to group together different services that it is monitoring for suspicious activity. By default, Fail2ban comes with a number of pre-configured jails. You can enable a jail by uncommenting its section in the configuration file.
For example, to enable the SSH jail, open the /etc/fail2ban/jail.local file with a text editor and uncomment the following section:
[sshd] enabled = true
Restart Fail2ban: Once you have made the necessary changes to the configuration file, you need to restart Fail2ban to apply the changes. You can do this by running the following command:
sudo systemctl restart fail2ban
6. Verify Fail2ban: You can verify that Fail2ban is running correctly by checking its status. You can do this by running the following command:
sudo systemctl status fail2ban
This will display the status of the Fail2ban service, including whether it is running or not. If the service is running, it means that Fail2ban is monitoring your system for suspicious activity and blocking IP addresses that exhibit such behavior.
Final Notes and Thoughts
OpenSSH is an essential tool for anyone who needs to securely access remote systems or manage remote servers, and it provides a wide range of benefits and features that make it a valuable addition to any system administrator's toolbox.