🎛️ 168. Configure and Secure SSH

📑 Table of Contents

🔑 What is SSH?
🛠️ How to Install SSH?
🔧 How to Configure SSH?
Timeout and Idle Session Control
Disable Root Login
Disable Empty Passwords
Limit User's SSH Access
Change SSH Port
🔒 SSH-Keys - Access Remote Server without Password
Generate and Configure SSH-Keys
Passwordless Login Setup
📝 Summary of Lessons (Scripts)
Script 1: Change SSH Port Every Hour
Script 2: Synchronize SSH Port (Client-side)

🔑 What is SSH?

SSH stands for Secure Shell. It provides a secure way to access and manage Linux systems remotely by sending encrypted commands from a client to the server. It acts as a bridge, allowing you to communicate with your system and instruct the kernel to manage hardware.

graph TD;
    A[User] -->|SSH Connection| B[Linux System];
    B --> C[Kernel];
    C --> D[Hardware Management];

🛠️ How to Install SSH?

To install SSH, follow these steps depending on your Linux distribution:

Debian/Ubuntu:

sudo apt update
sudo apt install openssh-server

CentOS/RHEL:
```
sudo yum install openssh-server
```

Once installed, start the SSH service:

sudo systemctl start sshd

🔧 How to Configure SSH?

Edit SSH Configuration File

The main configuration file for SSH is located at /etc/ssh/sshd_config. Here's how to configure some key settings:

Become the root user:
```
sudo su
```
Open the SSH config file:
```
nano /etc/ssh/sshd_config
```
ClientAliveInterval: Set the idle timeout interval (in seconds):
```
ClientAliveInterval 600
```
ClientAliveCountMax: The maximum number of messages sent before terminating the session:
```
ClientAliveCountMax 0
```
Restart the SSH service:
```
sudo systemctl restart sshd
```

graph TD;
    ConfigFile[sshd_config] -->|Client Settings| SSHService[SSH Service];
    SSHService --> Timeout[User Timeout];
    SSHService --> RestrictRoot[Root Login Restriction];

🔒 Securing SSH

Disable Root Login: Disable root access to reduce the risk of brute-force attacks:
```
PermitRootLogin no
```
Disable Empty Passwords: Prevent users with empty passwords from logging in:
```
PermitEmptyPasswords no
```
Limit SSH Access to Specific Users: Specify which users can access the system via SSH:
```
AllowUsers user1 user2
```
Use a Different Port: Change the default SSH port (22) to something less common to avoid automated attacks:
```
Port 2022
```

🎛️ 169. SSH-Keys - Access Remote Server without Password

🔐 What are SSH-Keys?

SSH keys provide a secure, password-less way to access remote servers. They use public-key cryptography for authentication, enabling automated scripts and frequent logins without needing a password.

graph TD;
    A[Client] -->|SSH-Key| B[Server];
    B --> D[Login Success];

Why Use SSH-Keys?

🕒 Repetitive Logins: Frequent logins without needing to type your password.
🤖 Automation: Useful in scripts where manual password input isn't ideal.

🛠️ How to Generate SSH-Keys?

Generate an SSH key pair:
```
ssh-keygen -t rsa -b 4096
```
You will be prompted to save the keys and optionally provide a passphrase.
Copy the public key to the remote server:
```
ssh-copy-id user@server
```
Log in without a password:
```
ssh user@server
```

graph TD;
    A[Generate SSH Key] -->|ssh-keygen| B[Public Key & Private Key];
    B -->|ssh-copy-id| C[Remote Server];
    C --> D[Passwordless Login];

📝 Summary of Lessons (Scripts)

Script 1: Change SSH Port Every Hour

#!/bin/bash
# Random SSH port based on time (Example: every hour)

SEED=$(date +%Y%m%d%H)  # Use current date and hour as seed
MIN_PORT=1025
MAX_PORT=65535

PORT=$(( SEED % (MAX_PORT - MIN_PORT + 1) + MIN_PORT ))

# Update the SSH configuration
sudo sed -i "s/^Port.*/Port $PORT/" /etc/ssh/sshd_config
sudo systemctl reload sshd

echo "SSH port changed to: $PORT"

Script 2: Synchronize SSH Port (Client-side)

#!/bin/bash
# Predict SSH port based on time

SEED=$(date +%Y%m%d%H)
MIN_PORT=1025
MAX_PORT=65535

PORT=$(( SEED % (MAX_PORT - MIN_PORT + 1) + MIN_PORT ))

echo "Current SSH port is: $PORT"
ssh -p $PORT user@server