SSH gives you a remote command line to make changes to your Ubuntu whilst not actually in front of it.
SSH options to configure:
- AllowGroups group1 group2
- Only allow the specified groups to connect. Remember your user account probably has a group with the same name as it. This is an important security measure to stop malicious users logging on with system accounts.
- AllowTcpForwarding no
- This only makes a difference if users can't install their own forwarders from the terminal. This does stop software like Sequel Pro from connecting to MySQL over SSH obviously.
- PermitRootLogin no
- Block root login, make sure you have a sudo-capable user before using this parameter!
- PrintMotd no
- Prints the contents of /etc/motd to the terminal when a user connects. Ubuntu does this anyway so don't say yes to this. Do change /etc/motd though.
- X11Forwarding no
- Disable if you don't have a gui on the server or want to block the forwarding of X11
SFTP (FTP over SSH)
Traditional FTP is actually quite insecure and can be annoying to set up. SSH already allows you to transfer files through it but what if you want to have people that are not you uploading website files? With a few tweaks to the SSH configuration you can give other users access to a certain directory and not your entire system through SSH.
By chrooting a users login directory away from their home directory, you also break their shell access. Setting the users shell to /bin/false guarantees no shell access.
Use the following command to create a specific group to define restricted access and open the configuration file to edit.
$ sudo groupadd sftponly $ sudo nano /etc/ssh/sshd_config
Firstly change the default sftp server from:
Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Then add the following section (please note that "Match all" closes the block so you can put this anywhere. If you're scared, add it to the end of the file):
Match group sftponly ChrootDirectory /home/%u ForceCommand internal-sftp Match all
If you are using key authentication then you will have to create a completely separate directory to store the keys in. Add these lines to your Match:
PasswordAuthentication no AuthorizedKeysFile /usr/local/share/keys/%u/.ssh/authorized_keys
Place the authorized_keys files under that separate directory, still in a structure like the home directories.
Now you can create a user and add them to the sftponly group.
$ sudo mkdir /home/fred $ sudo useradd fred -d /home/fred -s /bin/false $ sudo passwd fred $ sudo adduser fred sftponly $ sudo adduser fred www-data
This limits freds SFTP access to his home directory. You can then mount his website directory in his home directory to give him access to it. The fstab line should resemble the following:
/var/sites /home/fred/sites none rw,bind 0 0
Doing things this way means that /home/fred is owned by root. This solution will stop working if you set fred to own the directory. Fred can still upload files because he is part of the www-data group which owns and can edit the sites directory.
I have since used this method to create a set of sites directories and chrooted the SFTP users directly into those folders, bypassing the home directories entirely.
The folder that the user is chrooted to must be owned by root and not allow fred to access it. This stops fred from breaking the chroot.
On web servers, there is an additional concern. Although you have restricted ports and limited SSH access, malicious people will still attempt to get into your system using SSH. This is where DenyHosts comes in. It monitors your security logs and blocks any repeated failed attempts as per its settings.
To install DenyHosts, run the following command:
$ sudo apt-get install denyhosts
The configuration file is at /etc/denyhosts.conf but the defaults should be sufficient.
Other things to do
PuTTY is the windows client for SSH. WinSCP is a very capable SFTP client but Filezilla and other FTP clients may support SFTP.
- Official PuTTY page
- Official WinSCP page
- PuTTY Portable
- WinSCP Portable
- Notes on PuTTY and public/private keys
SSHFS can mount a directory through SSH onto your local system.
Shortcuts when using Linux and Mac SSH clients
$ touch ~/.ssh/config $ nano ~/.ssh/config Host <shortcutname> HostName <server.com> User <username>