How to Install and Secure OpenSSH on Ubuntu 24.04: Complete Step-by-Step Guide

OpenSSH is a free and open-source implementation of the Secure Shell (SSH) protocol. It provides a suite of tools for secure remote access and file transfer between computers over a network.

Unlike older tools like telnet or rcp, which transmit data in plain text, OpenSSH encrypts all traffic, protecting against eavesdropping, connection hijacking, and other attacks. This makes it ideal for secure remote administration of servers, secure file transfers using SFTP (SSH File Transfer Protocol), and other secure network operations.

This guide provides a step-by-step walkthrough on how to install OpenSSH on Ubuntu and similar Linux distributions (like Debian, Linux Mint, etc.).

Read: How to Install Plex on Ubuntu 22.04

OpenSSH Installation Steps on Ubuntu

Installing OpenSSH on Ubuntu is a straightforward process, requiring only a few simple commands.

1. Update Your Package List: Before installing any new software, it’s crucial to update your system’s package list. This ensures you’re getting the latest available version of OpenSSH. Execute the following command in your terminal:

   sudo apt update

2. Install the OpenSSH Server Package: Now, you can install the openssh-server package. This package contains the necessary files and configurations for running an SSH server on your Ubuntu machine. Use the following command:

   sudo apt-get install openssh-server

Read: How to set up a UFW on Ubuntu 22.04

After the installation completes, the SSH service should start automatically. To verify the installed OpenSSH version, run:

ssh -V

To confirm that the SSH service is running correctly, use the systemctl command:

sudo systemctl status ssh

If the service is not running, you can enable and start it with the following commands:

systemctl enable ssh

systemctl start ssh

With the SSH service running, you can now connect to your Ubuntu machine from any other computer with an SSH client. Most Linux and macOS systems have built-in SSH clients.

Enabling Network Connection to SSH (Local Network Access)

To connect to your Ubuntu system over your local area network (LAN), use the following command from a remote machine:

ssh username@ip_address

Replace username with your actual username on the Ubuntu machine and ip_address with the Ubuntu machine’s IP address. To find your Ubuntu machine’s IP address, use the ip command:

ip a

Once you have the IP address, go back to the remote machine and execute:

ssh your_username@your_ip

The first time you connect to a new SSH server, you’ll receive a message asking if you want to continue connecting. This is a security measure to ensure you’re connecting to the correct machine.

Type yes and press Enter. You’ll then see a message similar to:

Enter your password for the user account on the Ubuntu machine. After successful authentication, you’ll be logged in and see a welcome message

ssh net2@10.0.2.15

You are now successfully logged in to your Ubuntu machine via SSH.

Read: Network configuration in Ubuntu

Connecting to SSH Over the Internet (Remote Access)

To connect to your Ubuntu machine from outside your local network (i.e., over the Internet), you’ll need to configure port forwarding on your router and know your public IP address.

To find your public IP address, you can use a service like https://whatismyipaddress.com.

Next, you need to configure port forwarding on your router. This process varies depending on your router model. Generally, you’ll need to:

1. Log in to your router’s administration interface (usually by entering its IP address in a web browser).
2. Find the “Port Forwarding” or “Virtual Server” section.
3. Create a new rule that forwards external port 22 (or a custom port if you choose to change the default SSH port) to the internal IP address of your Ubuntu machine (the one you found using ip a) and port 22.

Refer to your router’s documentation for specific instructions. Once port forwarding is set up, you can connect using:

ssh your_username@your_public_ip_address

Using VNC over SSH (Secure VNC Tunneling)

If you use Virtual Network Computing (VNC) for graphical remote desktop access, you can enhance security by tunneling the VNC connection through SSH. This encrypts the VNC traffic, protecting it from interception. To create an SSH tunnel for VNC, use the following command:

ssh -L 5901:localhost:5901 -N -f -l username hostname_or_IP

Here’s a breakdown of the command options:

• ssh: Starts the SSH client.
• -L 5901:localhost:5901: Specifies local port forwarding. This forwards connections to port 5901 on your local machine (localhost) to port 5901 on the remote machine (also referred to as localhost in this context, meaning the remote machine itself). VNC typically uses port 5900 + display number (e.g., 5901 for display :1).
• -N: Instructs SSH not to execute a remote command. We only want to forward ports.
• -f: Sends SSH to the background after authentication, allowing you to continue using your terminal.
• -l username: Specifies the username to use for logging in to the remote SSH server.
• hostname_or_IP: The hostname or IP address of the remote machine running the VNC server.

Security Best Practices for OpenSSH

To enhance the security of your OpenSSH server and protect it from unauthorized access, consider the following best practices:

• Change the Default SSH Port: The default SSH port (22) is a common target for automated attacks. Changing it to a non-standard port (e.g., 2222, 21396) can significantly reduce the number of automated attacks. Edit the /etc/ssh/sshd_config file and change the Port directive. Remember to update your firewall and port forwarding rules accordingly.
• Use SSH Key Pairs for Authentication: Password-based authentication is vulnerable to brute-force attacks. SSH key pairs provide a much more secure authentication method. Generate a key pair (using ssh-keygen), copy the public key to the ~/.ssh/authorized_keys file on the server, and disable password authentication (see below).
• Disable Password Authentication: Once you have key-based authentication working reliably, disable password authentication in /etc/ssh/sshd_config by setting PasswordAuthentication no. This prevents attackers from trying to guess passwords.
• Disable Root Login: Allowing direct root login via SSH is generally a bad practice. Disable root login in /etc/ssh/sshd_config by setting PermitRootLogin no. Instead, log in as a regular user and use sudo or su to gain root privileges when needed.
• Use TCP Wrappers (Optional): TCP wrappers provide an additional access control layer. You can use the /etc/hosts.allow and /etc/hosts.deny files to specify which hosts or IP addresses are allowed or denied access to your SSH server. For example, to allow access only from a specific IP address (192.168.1.100), you would add the following to /etc/hosts.allow:

  sshd: 192.168.1.100

  And to /etc/hosts.deny:

  sshd : ALL
  ALL : ALL

• Use a Firewall: A firewall (like UFW on Ubuntu) is essential for controlling network traffic. Configure your firewall to allow only necessary traffic, including SSH traffic on your chosen port.
• Keep OpenSSH Updated: Regularly update your system (including OpenSSH) to patch any security vulnerabilities. Use sudo apt update && sudo apt upgrade to keep your system up-to-date.
• Consider Fail2ban: Fail2ban is a service that monitors log files for failed login attempts and automatically blocks IP addresses that exhibit malicious behavior, such as repeated failed SSH login attempts. This can help mitigate brute-force attacks.

By implementing these security measures, you can significantly reduce the risk of unauthorized access to your Ubuntu system via SSH. Always prioritize security when setting up remote access.

 

The post How to Install and Secure OpenSSH on Ubuntu 24.04: Complete Step-by-Step Guide appeared first on net2.