Securing SSH Connection
Generating a Key and Connecting
Best way to protect your SSH server is to use encrypted keys. Download PuTTY and PuTTYGen. Run puttygen.exe, press 'Generate', move around your mouse cursor in the gray area. Enter a pass phrase, though don't forget it as you will need it, when connecting to your machine. You can also leave it blank, but it makes connection less secure albeit more convenient. Save public and private keys and don't close the window yet. Connect to your GNU/Linux machine with a user you wish to secure and create a file.
- cd ~
- mkdir .ssh
- chmod 700 .ssh
- cd .ssh
- nano authorized_keys
Now in you puttygen window copy the generated key up until a comment '=rsa-key-date', like this. Now you need to paste it in nano window so the whole key is in one long line, if you're connected via PuTTY, right click to paste the key, it should automatically paste it in one unbroken line:
- ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAkEZzBaZoOHY6GoRkPAd/tjVutuW...
Save, exit and change permissions:
- chmod 600 authorized_keys
Now to connect to your server from a Windows machine, launch PuTTY, enter remote address and port number. In the left pane navigate to "Connection/SSH" and in 'Auth' window browse for you private key you created earlier. You can save your session so it will load the key automatically.
On GNU/Linux it's much simplier. On client computer generate your keys by running 'ssh-keygen' command, save keys to default '~/.ssh' directory and run the following:
- ssh-keygen
- cd ~/.ssh
- touch config
- chmod 600 *
- ssh-copy-id -i id_rsa.pub <username>@<remote_address>
This will add your public key straight to the remote server's 'authorized_keys' file. If you want to connect, run this:
- ssh -p <remote_port> -i <path_to_key> <username>@<remote_address>
Some of those switches are not required if usernames match, or keys have already been authorized, or remote port is default (22). Also, add few lines to config file on your client machine, to keep connection alive:
- cd ~/.ssh
- nano config
And add:
- Host *
- ServerAliveInterval 60
Now you only need to change few settings in server's SSH daemon configuration file.
SSHd Configuration
Before you start fiddling with 'sshd_config', make an anti-lockout script to run periodically, especially if you're connecting to a server outside your physical reach. Create a file:
- su
- cd
- touch antilockout.sh
- chmod 700 antilockout.sh
- nano antilockout.sh
Paste the script:
- #!/bin/bash
- cp /etc/ssh/sshd_config /etc/ssh/sshd_config_`date "+%Y-%m-%d_%H:%M:%S"`
- cp /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
- /etc/init.d/ssh restart
Open up cron:
- crontab -e
And add a rule:
- */10 * * * * /root/antilockout.sh > /dev/null 2>&1
Now every 10 minutes the 'shh_config' will reset to 'ssh_config.bak' and leave a copy of your work.
Next, backup SSHd configuration and open it up. Don't mistake 'sshd_config' for 'ssh_config'.
- su
- cd /etc/ssh
- cp sshd_config sshd_config.bak
- nano sshd_config
Find and change the following lines to:
- AuthorizedKeysFile %h/.ssh/authorized_keys
- RSAAuthentication yes
- PubkeyAuthentication yes
- ChallengeResponseAuthentication no
- PasswordAuthentication no
- UsePAM no
From now on you will be able to connect to the machine only with RSA key. Also I would advise to disable root access on SSH and maximum authentication tries per session:
- PermitRootLogin no
- MaxAuthTries 6
Save, exit and restart SSHd service.
- /etc/init.d/ssh restart
If everything works, don't forget to delete or comment out antilockout script line in 'crontab'.
Using SSH Server As Proxy
If you have a remote shell you can set up PuTTY to act as a SOCKS5 proxy in just a few simple steps if you're using Windows.
On GNU/Linux it's even less complicated. Just run this:
- ssh -C2qTnN -D 8080 -p <remote_port> <username>@<remote_address>
Again, you might not need to change remote port or username, depending on your configuration. Add & at the end of the command to put it in the background. Proxy settings are the same: point to localhost:8080 and set to SOCKS5. Don't forget to set 'resolve DNS remotely' option. Enjoy browsing the web on unsafe public WiFis!