Enabling good security protocols for SHH

Allowing root login, via ssh, is not secure. we do not want root users logging in at all by default, debian should be secure, not insecure nor do we want to give users 10 minutes to do a quick dictionary password attack on our ssh login therefore, its up to you to limit the time and attempts!

To help make your ssh more secure, simply take your favorite text editor, and open it with root privileges, then open this file:

/etc/ssh/sshd_config

Then we locate the offending items, and change them.

The offending items you need to locate are the following:

Port <desired port>: This must be set to the correct port that you are forwarding from your router. Port forwarding must also be setup in your router. If you don't know how to do that, maybe you shouldn't be using ssh remotely. Debian sets the default to port 22, however its recommended that you use a port out of the standard scan range. let's say we use port 5874 so that becomes:

Port 5874

ListenAddress <ip of machine or network interface>: Now, of course, since you are forwarding a port from your router, you need the machine to have a static ip address on the network, unless you are using a dns server locally, but if you're doing something that complicated and need these directions you are probably making a huge mistake So let's say it's this:

ListenAddress 192.168.2.134

Next, Protocol 2 is already a debian default, but check to make sure:

LoginGraceTime <seconds to allow for login>: This has an absurd default of 600 seconds. It does not take you 10 minutes to type in your user name and password, so lets make that sane:

LoginGraceTime 45

Now you have 45 seconds to login and hackers do not have 600 seconds each attempt to crack your password

PermitRootLogin <yes>: Why debian makes PermitRootLogin 'yes', is incomprehensible so we fix that to 'no'

PermitRootLogin no

StrictModes yes

MaxAuthTries <xxx>: Number of attempts to login, you can make it 3 or 4 attempts but no more than that

MaxAuthTries 2

You may need to add any of these items if they are not present:

AllowUsers <user names with spaces allowed to access via ssh>

AllowUsers <xxx>: make an ssh only user with no rights use adduser to add the user, then put their name here, like:

AllowUsers whomevertheuseris

PermitEmptyPasswords <xxx>: give that user a nice long password that is impossible to guess ever in a million years that is the only user allowed to ssh in. Once you are in, you can just su to root:

PermitEmptyPasswords no

PasswordAuthentication <xxx>: obviously, for password login, not key login, you need passwords to be full unless using keys, you need this to be yes

PasswordAuthentication yes [unless using keys]

Finally:

/etc/init.d/ssh restart

Now you have somewhat more secure ssh not fully secure, just better, including creating an ssh only user with adduser

Using X Window Applications Via Network Through SSH

Running an application on a remote computer and have its graphical user interface displayed on your local machine.

Presumption:
* Joatha
* local computer's IP: 192.168.1.10/24 (only displaying X11)
* remote computer's IP: 192.168.1.2/24 (actually running X11 application)

Configuration:

On the remote computer change in /etc/hosts.allow a line to add rights for ssh access:

ssh sshd : 192.168.1.0/24 : ALLOW # e.g. allow all local area network adresses to access the ssh server :code:

On the local computer, open a konsole and enter the command for establishing an ssh connection with X-Forwarding:

ssh -X username@xxx.xxx.xxx.xxx (or IP)
(enter your ssh password when prompted for it, 
or the password to the ssh key if you have sent 
your pub key to the remote and there added it 
to the user's authorized_keys files)

Run the X-Application in the shell, for example "firefox".

ssh -X username@xxx.xxx.xxx.xxx (or IP)
(enter your ssh password when prompted for it, 
or the password to the ssh key if you have sent 
your pub key to the remote and there added it 
to the user's authorized_keys files)
firefox

Remote access ssh with X-Forwarding from a Windows-PC:

* Download and burn the Cygwin XLiveCD
* Put the CD into the CD-ROM tray of the Windows-PC and wait for the autorun.
Click "continue" until a shell window pops up and enter:

ssh -X username@xxx.xxx.xxx.xxx 

Note: xxx.xxx.xxx.xxx is the IP of the linux remote computer or its URL (for example a dyndns.org account) and the username is of course one user account that exists on the remote machine. After successfull login, start "kmail" for example and check your mails!

Important: make sure hosts.allow has an entry to allow access from PCs from other networks. If you are behind a NAT-Firewall or a router make sure port 22 is forwarded to your linux machine

SSH with Konqueror

Konqueror and Krusader are both able to access remote data, using the fish:// protocol. which is based on the ssh protocol

How it works:
1) Open a new Konqueror window
2) Enter into the address bar: fish://username@ssh-server.com

Example 1:

fish://Joatha1@my-home-server.dyndns.org
 (Note: A popup opens that asks for your ssh password, enter it and click OK)

Example 2:

fish://username:password@ssh-server.com
(In this form you will NOT get a popup asking for a password you will be directly connected.)

The SSH connection now is initialized. With this Konqueror window, you can work with the files (copy/view) that are on the SSH server just as if the files would be in a folder on your local machine.

SSHFS - Mounting Remotely

SSFS is an easy, fast and secure method that uses FUSE to mount a remote filesystem. The only server-side requirement is a running ssh deamon.

On client side you propably have to install sshfs:

apt-get update && apt-get install sshfs

Now you must log out and log back in again

Mounting a remote filesystem is very easy:

sshfs username@remote_hostname:directory local_mount_point

where the username is the account name on the remote host:

If no directory is given the home directory of the remote user will be mounted. Attention: The colon : is essential even if no directory is given!

After mounting the remote directory behaves like any other local filesystem, you can browse files, edit them and run scripts on them, just as you can do with a local filesystem.

If you want to unmount the remote host use the following command:

fusermount -u local_mount_point

If you use sshfs frequently it would be a good choice to add a fstab entry:

sshfs#username@remote_hostname:directory local_mount_point fuse user,noauto 0 0

This will allow every user which is part of the group fuse to mount the filesystem by using the well known mount command:

mount /path/to/mount/point

With that line in your fstab you can of course use the umount command too:

umount /path/to/mount/point

To check whether you are in that group or not use the following command:

cat /etc/group | grep fuse

You should see something like:

fuse:x:117: <username>

Note: The "id" will not list in the "fuse" group, until you have logged out and logged back in again

If your username is not listed use the adduser command as root:

adduser <username> fuse

Now your username should be listed und you should be able to run the command:

mount local_mount_point

and

umount local_mount_point