Secured access to the command line of the server can be obtained via SSH (Secure Shell). Protocol and tool SSH replaced its older predecessors like telnet, rlogin or rsh to fill in the missing layer in the fully encrypted communication between non-authenticated devices in the insecure network.
Thanks to the SSH we are able to get access to any encrypted remote server and we can work in the server’s command line like we would sit at the computer. Simply enter your login credentials (username and password) on the IP address of the server. On the server runs a server part of the SSH (called demon sshd), to which you connect from the remote desktop with a user part of SSH (ssh tool).
Popular implementation of SSH is released as OpenSSH and we will discover it preinstalled on many operating systems like Windows, MacOS, Linux or *BSD. It is a free opensource tool. The development is a provided by the programmer of OpenBSD Project.
Active24 offer Shell via SSH on all our webhosting solutions. For virtual server (VPS) from Active24 the login credentials are sent in the e-mail you receive after the server is created. Linux command line is provided by Active24 for your hosting as a console that can be accessed even via browser like Google Chrome. You can gain access to the Linux command line independently on operating system.
Preparation of server environment
If you use VPS, in the first step you need to secure the update of all current packages. Install all software updates via two commands in one go:
sudo apt update && sudo apt upgrade
If the system locates any new updated packages, it will ask whether you want to install them:
Do you want to continue? [Y/n]
Press the key y if you wan to start the update or key n, if you do not want to update them. Then press Enter.
If you use one webhosting, simply activate Shell and log in with the address will be generated automatically including the exact command for connection.
Creating private and public SSH keys.
Firstly you need to log in to SSH via login credentials (name username and password) for the server (IP adress) :
ssh name@server
More secure form of authentication then login credentials is the use of SSH keys. We can create the private and public SSH key:
ssh-keygen
Since the mostly used operating systems Windows, MacOS or Linux have preinstalled OpenSSH, the guide to creating the keys will be the same in the command line. First the information that we are about to create a pair of keys is displayed – one key is private, other is public. When you should enter the file name and password you can simply press Enter to keep the default file name and keys without password.
Do not publish or share your private key, or file id_rsa.
Private key is stored in the plain text file id_rsa, while path to this file was displayed in the brackets. In the same path we can find plain text file id_rsa.pub, that contains a public key. File with the private key should never be shared. Send the file with the public key to the server, so the server would recognise you when you next log in based on the key and rather than the password.
Adding public SSH key on the server
Linux and MacOS contain tool ssh-copy-id, thanks to them you can very easily write the public key from the file id_rsa.pub to the server to the file containing authorised keys (~/.ssh/authorized_keys) via command:
ssh-copy-id name@server
Windows at the time this guide was writen does not contain this tool ssh-copy-id and therefore we need to do it differently:
type %USERPROFILE%\.ssh\id_rsa.pub | ssh name@server "cat >> ~/.ssh/authorized_keys"
The name is replaced with the username and server for an IP address server. Then we enter password. For the second login the server will not require password nor username, you will simply enter IP address (replacing server):
ssh server
If the username we have logged in is not matching with the username on the server, we need to use the username name as well:
ssh meno@server
SSH server protection
In the case of VPS we would recommend to set the correct settings for SSH server, that would allow you to connect via SSH more securely and improve the overall safety of your VPS.
Port change
By standard the SSH server (demon) listens at the port 22. It is commonly known that this port is used by SSH service and thus is often targeted by automated attacks. If we change the port to a different number, lets say 4444, the attacker will have much harder time and the server is thus more protected against automated attacks.
For better safer access to the server via SSH we would recommend to allow specific static IP, that would be able to connect to it, via firewall. Alternatively you can block the login attempts with the tools like fail2ban.
Let’s open the configuration file of the SSH server and override the port 22 to port 4444:
sudo nano /etc/ssh/sshd_config
In the opened configuration file locate line with #Port 22, that we override to Port 4444. Save the file by pressing Ctrl + X and then by pressing y and confirm with Enter. In the end restart the SSH server so the changes would take effect.
sudo systemctl restart ssh.service
From now on the connection to the SSH server has to be specified in addition to the name and server with a port (-p 4444):
ssh meno@server -p 4444
User restrictions
Another step to secure SSH server even more is to select specific user that will be allowed to gain access to the SSH. You can do that straight by listing the users (AllowUsers) or groups of users (AllowGroups).
More about users and groups can be learned in the separate guide File and user management in Linux command line (odkaz na kb file and users command line).
Open the configuration file on the SSH server (first line) and locate the directive AllowUsers and/or AllowGroups. If the directives do not exist, we can list them at the end of the configuration file (second and third line). File shall be saved via Ctrl + X and then by pressing y and confirming with Enter. At the end restart the SSH server (fourth line) so the changes would take effect.
sudo nano /etc/ssh/sshd_config
AllowUsers name1 name2 name3
AllowGroups group1 group2 group3
sudo systemctl restart ssh.service
Usernames (name1 name2 name3) and group names (group1 group2 group3) shall be replaced as necessary. If we enter multiple names divide them with a space.
Only users entered in the configuration file on the SSH server in the directive AllowUsers and/or AllowGroups can access SSH. Other login attempts will be denied.
Forbid the use of root user
A good advice can be forbiddance of the highest rights user (root) user via SSH, right after you create a new user with allowed sudo tool.
Forbid the use of root user only if you have set another user with the highest possible rights.
Open the configuration file of the SSH server (first line), look for directive PermitRootLogin and change is as we show on the second line. Save the file with the use of a shortcut Ctrl + X, then press y and confirm with Enter. At the end restart the SSH server (fourth line) so the changes would take effect.
sudo nano /etc/ssh/sshd_config
PermitRootLogin no
sudo systemctl restart ssh.service
From now on the user root will not be able to log in via SSH.
Allow root access only for specific commands
Sometimes it is good to forbid the root user from accessing the SSH server but at the same time allow it to run some commands. This access may come in handy when setting backup settings (e.g. via tool rsync).
Firstly we have to add the public SSH key to the file with allowed keys for the root user (/root/.ssh/authorized_keys). First line represents Linux and MacOS and second line represents Windows. server shall be exchanged for IP of the server and during the login enter the password for root.
ssh-copy-id root@server
type %USERPROFILE%\.ssh\id_rsa.pub | ssh root@server "cat >> /root/.ssh/authorized_keys"
Log in to the server via SSH (first line) and open the file with the allowed keys for root user (second line) where our public key is written. On the beginning of the line we add the content bellow (line three), that the root will be allowed to run on SSH. Save the file with the use of a shortcut Ctrl + X, then press y and confirm with Enter. At the end restart the SSH server so the changes would take effect.
ssh server
sudo nano /root/.ssh/authorized_keys
command="/cesta/k/prikazu argument1 argument2" ssh-rsa ...
Open the configuration file of the SSH server (first line), look for directive PermitRootLogin and change it as bellow (second line). Save the file with the use of a shortcut Ctrl + X, then press y and confirm with Enter. At the end restart the SSH server (third line) so the changes would take effect.
sudo nano /etc/ssh/sshd_config
PermitRootLogin forced-commands-only
sudo systemctl restart ssh.service
From now on the root user will have SSH access to the server only if he will execute right after the login one of the allowed commands.
Summary
Ve have created SSH keys (private and public) and then we have copied the public part to the server, so we could access the server with a safer method (and not with username and password). We have also learned how to efficiently secure the SSH server against automated attacks.