Enable and Configure SSH on Ubuntu 22.04 | Easy Steps

By Posted on

Enable and Configure SSH on Ubuntu 22.04 | Easy Steps

Enable and Configure SSH on Ubuntu 22.04 | Easy Steps

In this guide, we aim to provide a comprehensive walkthrough on how to Enable and Configure SSH on Ubuntu 22.04. SSH, or Secure Shell, is a crucial network communication protocol that enables secure data exchange and communication between two computers. Unlike HTTP (Hypertext Transfer Protocol), which is commonly used for transferring web pages, SSH encrypts the communication, making it suitable for use on insecure networks.

SSH is frequently utilized for remote login and execution of operations on remote computers. It can also be used to securely transfer data. Follow the steps detailed below to complete your SSH setup on Ubuntu 22.04.

Before proceeding, ensure you are logged in to your server as a non-root user with sudo privileges and have set up a basic firewall. You can refer to our guide on Initial Server Setup with Ubuntu 22.04 for assistance.

1. Install OpenSSH on Ubuntu 22.04

First, update your local package index using the following command:

sudo apt update

By default, SSH is usually installed on Ubuntu 22.04. You can verify this by running the following command:

ssh -V
**Output**
OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022

Note: This output confirms the presence of the SSH client, allowing you to connect to SSH servers. It doesn’t necessarily indicate that an SSH server is running on your machine.

To install the OpenSSH server, execute the following command:

sudo apt install openssh-server -y

After the installation is complete, enable the SSH service to start automatically on boot:

sudo systemctl enable ssh

Check the status of your SSH service with this command:

sudo systemctl status sshd

The output should resemble the image provided in the original article, indicating the SSH service is active and running.

Check SSH Server status

2. Configure Firewall for SSH Server on Ubuntu 22.04

By default, the SSH server listens on port 22, the standard SSH port. You can confirm this using the netstat command:

netstat -tulpn | grep 22
Verify SSH server is listening on port 22

To allow SSH traffic through the UFW firewall on Ubuntu 22.04, run the following command:

sudo ufw allow ssh

Check the UFW status to verify the rule:

sudo ufw status
allow SSH traffic on the UFW firewall

3. Configure SSH Server on Ubuntu 22.04

The SSH configuration files are located in the /etc/ssh directory. This directory contains various files, with the most important being sshd_config, the SSH server configuration file.

Let’s focus on configuring the server aspect.

Change SSH Default Port

Changing the default SSH port on Ubuntu 22.04 is a recommended security practice. Open the sshd_config file using a text editor like vi:

sudo vi /etc/ssh/sshd_config

Find the Port line, uncomment it, and modify it to your desired port number. In this example, we change it to 2222:

Port 2222

Save the changes and close the file.

Note: When changing the default SSH port, remember to specify the new port when connecting to the server.

Disable Root Login on your SSH Server

On recent Ubuntu distributions, root login is typically set to prohibit-password by default. This setting restricts interactive authentication methods, allowing only public key authentication.

To connect as root, you would need to set up SSH keys and use them for authentication. It’s generally recommended to disable root login entirely for enhanced security. If keys are compromised, your whole host is compromised.

To completely disable root login, set the PermitRootLogin option to no. Open the SSH server configuration file:

sudo vi /etc/ssh/sshd_config

Find the following line and set it to no:

PermitRootLogin no

Save and close the file.

To apply these configuration changes, restart the SSH service:

sudo systemctl restart sshd

Verify the port change using netstat:

netstat -tulpn | grep 2222
Verify SSH change port

How To Connect to SSH Server?

Now, you can connect to your SSH server using the following command:

ssh -p <port> <username>@<ip_address>

For example, to connect to an instance located at 127.0.0.1 on port 2222, run:

ssh -p 2222 <user>@127.0.0.1

You will be prompted to provide your password and verify the server’s authenticity.

To disconnect from the SSH server on Ubuntu 22.04, press Ctrl + D or type logout.

Disable the SSH server

If you need to disable the SSH server, use the following command:

sudo systemctl stop sshd

Check the SSH service status:

sudo systemctl status sshd
Disable the SSH server

After executing this command, the SSH server will no longer be accessible.

Conclusion

This tutorial covered how to enable and configure your SSH server on Ubuntu 22.04. You also learned how to configure your SSH server to enhance its security against basic attacks. With the help of this tutorial, you can enable and configure your SSH server on Ubuntu 22.04 more securely.

Alternative Solutions for Secure SSH Access

While the above guide provides a solid foundation for setting up SSH, here are two alternative approaches to further enhance security and manage SSH access:

1. Using SSH Certificate Authentication

Instead of relying solely on passwords or even SSH keys, SSH certificate authentication offers a more robust and scalable solution. With certificate authentication, a Certificate Authority (CA) signs user keys. The SSH server is configured to trust the CA. When a user attempts to connect, the server verifies that the user’s key is signed by the trusted CA.

  • Explanation: This approach simplifies key management, as you only need to manage the CA. It also provides an easy way to revoke access – simply revoke the user’s certificate through the CA. Compromised user keys are less of a concern, as they cannot be used without a valid certificate from the CA.

  • Steps:

    1. Create a CA key and certificate: Use ssh-keygen to generate a CA key pair. Keep the private key extremely secure.

      ssh-keygen -t rsa -b 4096 -f ca_key

    2. Create user keys: Generate SSH key pairs for each user.

      ssh-keygen -t rsa -b 4096 -f user1_key

    3. Sign user keys: Use ssh-keygen to sign the user’s public key with the CA.

      ssh-keygen -s ca_key -I user1 -n user1 user1_key.pub

    4. Configure the SSH server: Add the CA’s public key to the TrustedUserCAKeys directive in /etc/ssh/sshd_config.

      TrustedUserCAKeys /etc/ssh/ca_key.pub

    5. Distribute user certificates: Give each user their signed certificate (e.g., user1_key-cert.pub) and private key (e.g., user1_key). The user places these files in their .ssh directory.

    6. Restart the SSH server: sudo systemctl restart sshd

Now, users can connect using their certificate-signed keys without needing to enter a password. Enabling and configuring your SSH server on Ubuntu 22.04 using this method adds a layer of security.

2. Using Port Knocking

Port knocking is a method to externally open ports on a firewall by sending a sequence of connection attempts on a set of pre-defined closed ports. Once the correct sequence of port "knocks" is received, the firewall rules are dynamically modified to allow the attacker’s IP address to connect to the SSH port.

  • Explanation: This adds an extra layer of obscurity to your SSH server. An attacker scanning for open ports will not find SSH listening on port 22 (or any other standard port), as the port remains closed until the correct knock sequence is received. Enabling and configuring your SSH server on Ubuntu 22.04 will become more difficult for potential hackers.

  • Steps:

    1. Install knockd:

      sudo apt install knockd

    2. Configure knockd: Edit /etc/knockd.conf to define the knock sequence and the command to open the SSH port. Replace eth0 with your network interface.

      [options]
        UseSyslog

[openSSH]
        sequence      = 7000,8000,9000
        seq_timeout   = 5
        command       = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags      = syn

[closeSSH]
        sequence      = 9000,8000,7000
        seq_timeout   = 5
        command       = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags      = syn

    3. Configure iptables: Ensure that the default policy for incoming connections is DROP or REJECT.

      sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

    4. Edit /etc/default/knockd: Set START_KNOCKD=1 to enable knockd on boot.

    5. Start knockd:

      sudo systemctl enable knockd
sudo systemctl start knockd

    6. Connect: Use a port knocking client (like knock) to send the correct sequence of packets to the defined ports. After the sequence is successful, your IP address will be allowed to connect to the SSH port. Enable and configure your SSH server on Ubuntu 22.04 and test the configuration by knocking and then attempting to connect via SSH.

These alternative solutions, combined with the basic configuration outlined in the original guide, can significantly improve the security of your SSH server on Ubuntu 22.04.

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *