User manual on how to use SSH to connect to a remote server in Linux

introduction


Introduction

Accessing machines remotely became a necessity a long time ago and we can barely imagine how it would be if we couldn’t control computers from remote locations. There are many ways to establish a connection with a remote machine depending on the operating system you are running, but the two most used protocols are:

Secure Shell (SSH) for Linux-based machines Remote Desktop Protocol (RDP) for Windows-based machines The two protocols use the client and server applications to establish a remote connection. These tools allow you to gain access and remotely manage other computers, transfer files, and do virtually anything you can do while physically sitting in front of the machine.

User manual on how to use SSH to connect to a remote server in Linux Prerequisites

Before you can establish a secure remote desktop protocol with a remote machine, there are a few basic 'requirements' to meet:

  • The remote computer must be turned on at all times and have a network connection.
  • The client and server applications need to be installed and enabled.
  • You need the IP address or the name of the remote machine you want to connect to.
  • You need to have the necessary permissions to access the remote computer.
  • Firewall settings need to allow the remote connection. What is SSH? Secure Shell, sometimes referred to as Secure Socket Shell, is a protocol which allows you to connect securely to a remote computer or a server by using a text-based interface.

When a secure SSH connection is established, a shell session will be started, and you will be able to manipulate the server by typing commands within the client on your local computer.

System and network administrators use this protocol the most, as well as anyone who needs to manage a computer remotely in a highly secure manner.

How Does SSH Work?

In order to establish an SSH connection, you need two components: a client and the corresponding server-side component. An SSH client is an application you install on the computer which you will use to connect to another computer or a server. The client uses the provided remote host information to initiate the connection and if the credentials are verified, establishes the encrypted connection.

On the server’s side, there is a component called an SSH daemon that is constantly listening to a specific TCP/IP port for possible client connection requests. Once a client initiates a connection, the SSH daemon will respond with the software and the protocol versions it supports and the two will exchange their identification data. If the provided credentials are correct, SSH creates a new session for the appropriate environment.

The default SSH protocol version for SSH server and SSH client communication is version 2.

How to Enable an SSH Connection

Since creating an SSH connection requires both a client and a server component, you need to make sure they are installed on the local and the remote machine, respectively. An open source SSH tool—widely used for Linux distributions— is OpenSSH. Installing OpenSSH is relatively easy. It requires access to the terminal on the server and the computer that you use for connecting. Note that Ubuntu does not have SSH server installed by default.

How to Install an OpenSSH Client Before you proceed with installing an SSH client, make sure it is not already installed. Many Linux distributions already have an SSH client. For Windows machines, you can install PuTTY or any other client of your choice to gain access to a server.

To check if the client is available on your Linux-based system, you will need to:

Load an SSH terminal. You can either search for “terminal” or press CTRL + ALT + T on your keyboard. Type in ssh and press Enter in the terminal. If the client is installed, you will receive a response that looks like this: username@host:~$ ssh Example

usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command]

`username@host:~$`

This means that you are ready to remotely connect to a physical or virtual machine. Otherwise, you will have to install the OpenSSH client:

Run the following command to install the OpenSSH client on your computer: sudo apt-get install openssh-client Type in your superuser password when asked. Hit Enter to complete the installation. You are now able to SSH into any machine with the server-side application on it, provided that you have the necessary privileges to gain access, as well as the hostname or IP address.

How to Install an OpenSSH Server In order to accept SSH connections, a machine needs to have the server-side part of the SSH software toolkit.

If you first want to check if OpenSSH server is available on the Ubuntu system of the remote computer that needs to accept SSH connections, you can try to connect to the local host:

Open the terminal on the server machine. You can either search for “terminal” or press CTRL + ALT + T on your keyboard. Type in ssh localhost and hit enter. For the systems without the SSH server installed the response will look similar to this:

username@host:~$ ssh localhost ssh: connect to host localhost port 22: Connection refused username@host:~$

If the above is the case, you will need to install the OpenSSH server. Leave the terminal open and:

Run the following command to install the SSH server: sudo apt-get install openssh-server ii.

Type in your superuser password when asked. Enter and Y to allow the installation to continue after the disk space prompt. The required support files will be installed, and then you can check if the SSH server is running on the machine by typing this command:

sudo service ssh status

The response in the terminal should look similar to this if the SSH service is now running properly:

username@host:-$ sudo service ssh status • ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enab Active: active (running) since Fr 2018-03-12 10:53:44 CET; 1min 22s ago Process: 1174 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCES

Main PID: 3165 (sshd)

Another way to test if the OpenSSH server is installed properly and will accept connections is to try running the ssh localhost command again in your terminal prompt. The response will look similar to this screen when you run the command for the first time:

username@host:~$ ssh localhost

The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:9jqmhko9Yo1EQAS1QeNy9xKceHFG5F8W6kp7EX9U3Rs. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.

username@host:~$

Enter yes or y to continue.

Congratulations! You have set up your server to accept SSH connection requests from a different computer using an SSH client.

TIP

You can now edit the SSH daemon configuration file, for example, you can change the default port for SSH connections. In the terminal prompt, run this command:

sudo nano /etc/ssh/sshd_config

The configuration file will open in the editor of your choice. In this case, we used Nano.

If you need to install Nano, run this command:

sudo apt-get install nano

Please note that you need to restart SSH service every time you make any changes to the sshd_config file by running this command:

sudo service ssh restart

How to Connect via SSH Now that you have the OpenSSH client and server installed on every machine you need, you can establish a secure remote connection with your servers. To do so:

Open the SSH terminal on your machine and run the following command: ssh your_username@host_ip_address

If the username on your local machine matches the one on the server you are trying to connect to, you can just type: ssh host_ip_address And hit Enter. Type in your password and hit Enter. Note that you will not get any feedback on the screen while typing. If you are pasting your password, make sure it is stored safely and not in a text file. When you are connecting to a server for the very first time, it will ask you if you want to continue connecting. Just type yes and hit Enter. This message appears only this time since the remote server is not identified on your local machine. An ECDSA key fingerprint is now added and you are connected to the remote server. If the computer you are trying to remotely connect to is on the same network, then it is best to use the private IP address instead of the public IP address. Otherwise, you will have to use the public IP address only. Additionally, make sure that you know the correct TCP port OpenSSH is listening to for connection requests and that the port forwarding settings are correct. The default port is 22 if nobody changed configuration in the sshd_config file. You may also just append the port number after the host IP address.

Here is the example of a connection request using the OpenSSH client. We will specify the port number as well:

username@machine:~$ ssh phoenixnap@185.52.53.222 –p7654 phoenixnap@185.52.53.222’s password:

The authenticity of host '185.52.53.222 (185.52.53.222)' can't be established. ECDSA key fingerprint is SHA256:9lyrpzo5Yo1EQAS2QeHy9xKceHFH8F8W6kp7EX2O3Ps. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ' 185.52.53.222' (ECDSA) to the list of known hosts.

username@host:~$

You are now able to manage and control a remote machine using your terminal. If you have trouble connecting to a remote server, make sure that:

The IP address of the remote machine is correct. The port SSH daemon is listening to is not blocked by a firewall or forwarded incorrectly. Your username and password are correct. The SSH software is installed properly. Note: If SSH responds with a message “Connection refused”, please refer to our article How To Fix The SSH “Connection Refused” Error for possible reasons and solutions.

SSH Further Steps Now that you are able to establish a connection to your server using SSH, we highly recommend a few further steps to improve SSH security. When you leave the setup with the default values, it is more likely to be hacked and your server can easily become a target of scripted attacks.

Some of the suggestions for hardening SSH by editing the sshd configuration file include:

Change the default TCP port where SSH daemon is listening. Change it from 22 to something much higher, for example 24596. Make sure you do not use a port number that is easy to guess, such as 222, 2222 or 22222. Use SSH key pairs for authentication for passwordless SSH login. They are both safer and also allow logging in without the need to use your password (which is faster and more convenient). Disable password-based logins on your server. If your password gets cracked, this will eliminate the possibility of using it to log into your servers. Before you disable the option to log in using passwords, it is important to make sure that authentication using key pairs is working properly. Disable root access to your server and use a regular account with the su – command to switch to a root user. You can also use TCP wrappers to restrict access to certain IP addresses or hostnames. Configure which host can connect using TCP wrappers by editing the /etc/hosts.allow and etc/hosts.deny files.

Note that allowed hosts supersede the denied hosts. For example, to allow SSH access to a single host you will first deny all hosts by adding these two lines in the etc/hosts.deny:

sshd : ALL ALL : ALL

Then, in the etc/hosts.allow add a line with the allowed hosts for the SSH service. That can be a single IP address, an IP range, or a hostname: sshd : 10.10.0.5, LOCAL.

Make sure to keep your log in information secure at all times and to apply security at multiple layers. Use different methods to limit SSH access to your servers, or use services that will block anyone who tries to use brute force to gain access to your servers. Fail2ban is one example of such service.

VNC Over SSH For users who are used to working in a graphical desktop environment with Virtual Network Computing (VNC), it is possible to completely encrypt connections using SSH tunneling. In order to tunnel VNC connections over SSH, you will need to run this command in the terminal on your Linux or UNIX machine:

$ ssh -L 5901:localhost:5901 -N -f -l username hostname_or_IP

Here is the breakdown of the command above:

ssh : this starts the SSH client program on your local machine and enables secure connection to the SSH server on a remote computer. -L 5901:localhost:5901 : states that the local port for the client on the local machine is to be forwarded to the specified host and port of the remote machine. In this case, local port 5901 on the local client is being forwarded to the same port of the given remote server. -N : instructs to only forward ports, and not to execute a remote command. -f : sends SSH to background after the password is provided, just before the command is executed. Then, you can freely use the terminal to type commands on the local machine. -l username : the username you insert here will be used for logging in to the remote server you specified. hostname_or_IP : this is the remote system with a VNC server. An example of an IP address would be 172.16.0.5 and the example of a hostname would be myserver.somedomain.com. You can also connect to a remote server via SSH tunnel from a Windows machine by using PuTTY. In the PuTTY configuration window:

ssh putty configuration Go to Connection -> SSH -> Tunnels In the Source port field type in 5901 In the Destination field type in localhost:5901 Start the SSH session as you normally would. Connect to your server with a VNC client of your choice.