Setting up SSH (Secure Socket Shell)
Secure Shell (SSH) also known as Secure Socket Shell is a UNIX-based command and protocol used to securely access a remote computer. SSH is a popular way to access servers located in DCs or for the project enthusiast, a functional way to connect with your Raspberry Pi located in your shed. SSH uses RSA Public Key cryptography for both connection and authentication. SSH works in the network protocol at layer 7 of the OSI Model and provides a secure channel over an unsecured network in a client-server architecture.
For an organisation setting up SSH, it is probably wise to not set it on Port 22. By default the SSH Remote Login protocol runs on TCP Port 22. This is useful for a Raspberry Pi but if you have valuable data to protect, it is recommended to change the port SSH runs on.
Step 1 – Creating an RSA Key Pair
To begin setting up SSH on a UNIX host (i.e your PC) open up a terminal and:
ssh keygen –t rsa
Once you have entered the above Gen Key command, you will be asked:
Enter file in which to save the key (/home/BantuTech/.ssh/id_rsa): (BantuTech is my example user, it will say your username)
You can chose to save here or use your own location.
After selecting where to save, it will now ask you to choose a password (passphrase). I have written a guide on creating a password here.
Enter passphrase (empty for no passphrase):
The option to leave this blank is available, though I fail to see why a user looking to protect their data would pick this option. Entering a passphrase means that should someone attempt to SSH onto your host, they have to take the time to figure out your passphrase, and if you have security features in place, you can just easily change the password when notified of a potential breach.
Following the steps listed above, you will now be faced with this output:
To test that it works, use the command ssh with your host name and enter your very secure password.
To enhance your SSH and make it more secure, it is recommended you change the SSH port. In steps 1 and 2 we set up SSH and now we will look to reconfigure it in step 3.
Step 3 - Changing SSH Port
To change port, SSH onto your machine as root:
ssh root@hostname/IP (change the hostname/IP to your username or hostname you want to secure)
When successfully logged in as root, you will look to editing the sshd_config file.
As a safety measure, I recommend you backup the sshd_config file first before you work on it.
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup
Step 3.1 - Changing the port
Open /etc/ssh/sshd_config in a text editor (I use Vim since it makes sense) and locate the line that specifies the port. If your sshd_config file has not been altered the Port setting will be commented out with a # symbol.
The # symbol tells the server to ignore anything after it on the same line, so you will need to remove it and then change the number 22. Pick a port such as 8888 or find a port used by Windows Servers (since you are on a UNIX machine).
Remove the # and change the port number. Save and close the sshd_config file.
Step 4 - Updating your firewall
Once you have changed your port, you need to update your firewall. Using Vim (because it makes sense). Again always make a backup first before editing system configuration files.
cp /etc/apf/conf.apf /etc/apf/conf.apf.bak
Open /etc/apf/conf.apf in Vim and find the line titled Common Ingress (inbound) TCP ports.
Add your new port here and follow the format already being used. Save your changes and close Vim.