How to Enable and Secure SSH on Ubuntu? Quick and Easy Steps
Remote login has been one of the easiest ways to manage servers across the Internet. A secure connection is key to this method, making sure that important data stays safe from online threats. SSH is one of the secure remote login methods, popularly used by enterprises and home users, giving you confidence as you work on your Ubuntu server.
#What is SSH
The Secure Shell Protocol (SSH) is a cryptographic network protocol mainly used for remote login. It creates network services securely over an unsecured network and was designed for Unix-like systems to replace the insecure Telnet service that was used in the early internet era. SSH uses the public-key cryptographic infrastructure to authenticate the communicating parties.
OpenSSH is the most popular SSH implementation used on the Internet. It is open-source and comes with a collection of tools for remote login and secure transfer of files.
#Prerequisites
To follow along this tutorial, you will need the latest Ubuntu installed with sudo privileges.
Deploy and scale your projects with Cherry Servers' cost-effective dedicated or virtual servers. Enjoy seamless scaling, pay-as-you-go pricing, and 24/7 expert support—all within a hassle-free cloud environment.
#How to Enable SSH on Ubuntu
The below steps will cover how to install SSH. We will also show you how to configure your SSH keys and secure your SSH server.
#Upgrade Ubuntu packages
We will first update our package list with the following command:
sudo apt-get update
We now upgrade our packages to make sure we have the latest and patched SSH packages for our Ubuntu version.
sudo apt-get upgrade
#Install OpenSSH
#On your server
Now that our packages have been upgraded, we can install the SSH server, OpenSSH, using the following command:
sudo apt install openssh-server
#On your client workstation
You need to install openssh-client on your client workstation to be able to connect to your ssh server.
sudo apt install openssh-client
#Configure SSH server
By default, the configuration file is located at /etc/ssh/sshd_config
TIP
Type
man sshd_configin your terminal prompt to access the SSH daemon configuration file manual and get a full list of options to configure your SSH server.
#Check your configuration file
As SSH is often a critical service allowing remote access to servers, losing connection after a server configuration might block you from reaching this server.
To help avoid this issue, you can verify your ssh configuration before loading your new setting.
To verify the configuration, use the following command:
sudo sshd -t -f /etc/ssh/sshd_config
In case of errors in the configuration file, the command will output where the error is located, like the example below:
$ sudo sshd -t -f /etc/ssh/sshd_config
/etc/ssh/sshd_config line 1: no argument after keyword "a"
/etc/ssh/sshd_config: terminating, 1 bad configuration options
Else, if there is no error in the configuration, you can proceed to restart the SSH server, which will reload your SSH configuration.
To restart the SSH server, use the following command:
sudo systemctl restart sshd.service
#Add a banner to your server
SSH server allows you to display a pre-login message, or banner, when someone is attempting a connection to your server. This can be a guide, warning or simply giving public information about your server.
To add a banner to your server, add the Banner directive to your /etc/ssh/sshd_config. For example, to use the file /etc/issue.net as a banner, add the following line to your configuration file:
Banner /etc/issue.net
Restart the server to load the new configuration:
sudo systemctl restart sshd.service
#SSH keys
#Generate keys on client
To make passwordless and more secure connections to your SSH server, you need to generate a pair of SSH keys on your client workstation. This key will then be copied to your SSH server.
From your client workstation, generate the keys using the following command:
ssh-keygen -t rsa
You can either secure your key with a password or hit Enter to generate the key without a password.
This will generate a private and public key using the RSA algorithm. The generated keys are located in the ~/.ssh/ folder. The private key is id_rsa and the public key is id_rsa.pub.
#Copy keys to server
You can now copy the public key to your SSH server:
ssh-copy-id username@remotehost
This will append ~/.ssh/authorized_keys to your server. The file must have permission 600 for the connection to work.
To set the permission, use the following command on the server:
chmod 600 .ssh/authorized_keys
#Secure the SSH server
To secure the server, we will disable password-based connections.
Add the following directives to your /etc/ssh/sshd_config:
KbdInteractiveAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
This will disable password-based connections while allowing other keyboard-interactive methods, which might be useful in 2FA setup. It will also allow connections using your public key.
Restart your ssh server to reload the configuration:
sudo systemctl restart sshd.service
TIP
Consider installing
fail2banto further secure your SSH server and automatically ban potential attackers. You can also change the default sshd (port 22) port to reduce connection attempts from automated bots.
#Conclusion
In this tutorial, we have covered what SSH is and how to install an SSH server on Ubuntu. We have also covered the basic configuration needed to run and secure your server, including generating your SSH keys. For more information about SSH configuration on Ubuntu, refer to the official Ubuntu OpenSSH Server configuration.
Cloud VPS - Cheaper Each Month
Start with $9.99 and pay $0.5 less until your price reaches $6 / month.
