SSH Server

In this section, we'll begin to look at the configuration of the SSH server itself. Typically, the server just works out of the box. That means there is very little configuration necessary. However, a little background information is good to have.

The first thing we need to do is back up the SSH configuration file. The files that control the SSH daemon are in /etc/ssh. Perform the following steps to back up the crucial SSH server configuration file.

  1. Connect to the server via SSH.
  2. `cd /etc/ssh`
  3. `cat sshd_config > sshd_config.bak`

Figure 5.9. Backing Up SSH Config File

Backing Up SSH Config File

The screenshot above shows the process of backing up the config file. The extension in the image is .init, which stands for initial. That means the copy of that file is exactly as it was when the machine was initially configured.

Now that we have a backup of the SSH configuration file, we can always return to the initial configuration of the daemon in case there are problems along the way.

Figure 5.10. SSH Banner Config Statement

SSH Banner Config Statement

You'll need to edit the sshd_config file. Find the line that calls for the banner, as shown above. Copy and/or uncomment the line as shown above. The screenshot above shows the crucial line to change within the SSH configuration in order to establish the SSH welcome banner.

Figure 5.11. Edit sshd_config for Banner

Edit sshd_config for Banner

Begin by editing the banner.txt file.

Figure 5.12. SSH Banner Content

SSH Banner Content

You'll need to edit the sshd_config file. Find the line that calls for the banner, as shown above. Copy and/or uncomment the line as shown above.

Once the configuration file has been altered, save and exit the file. You can edit it with Nano, vi, or the editor of your choice. Finally, you'll need to create the banner.txt file itself. You can download the file, or create the file with the content as indicated. Once you're finished, you should have a file at /etc/ssh/banner.txt with the content as indicated. Also, the daemon config file should have been altered. Finally, the daemon must be restarted. See the warning below for how to do this safely.

[Warning] Safely Restarting the SSH daemon

When changing the SSH configuration file itself, the daemon must be restarted. However, if the configuration file is wrong, it is possible to lock yourself out of your own machine. Do the following to prevent this: a) restart the SSH service: `service sshd restart`; b) remain logged in to the machine with the first shell, and login to the machine with a second shell; c) if you can successfully connect via the second shell, all is well; d) if you can't connect via the second shell, something is wrong and you can repair it through the first shell connection. Don't forget this trick when reconfiguring the SSH daemon, because if you get locked out of your own machine, there may be no recourse but to delete the machine and rebuild it.

Figure 5.13. SSH Daemon Restart

SSH Daemon Restart

The image above shows the SSH daemon restarting successfully. After this restart is the time to immediately check the connection by launching a second SSH session to the box.

Figure 5.14. Presentation of the SSH Banner

Presentation of the SSH Banner

Once you've successfully configured the SSH banner, restarted the daemon, and logged in you should be presented with the banner as shown above.

[Important] Importance of SSH Banner

It's important to have an SSH banner for legal reasons. It's like a trespassing sign, and a person who logs in can technically argue that they didn't know where they were logged in without it. In order to cover yourself in case of cyber break-in, create an SSH banner similar to the above.

SSH Access Logs

The handiest configuration and monitoring tools available are the log files. Typical Linux log files are kept in /var/log.

Figure 5.15. Contents of /var/log

Contents of /var/log

The figure above shows the various log files in the default /var/log location. The /var/log/messages file is a general "catch-all" for many log messages. It can be checked and monitored for many circumstances. Try this command: `tail /var/log/messages`. By default, 10 lines are shown. For more information, try `tail -n 25 /var/log/messages`.

Figure 5.16. The 'lastlog' utility

The 'lastlog' utility

The figure above shows the output of the `lastlog` command/utility. In the screenshot above, many of the accounts say "Never logged in". Most of these accounts are service and system accounts for which login is forbidden. Note that it also shows real user accounts on the system and their last access times.

Figure 5.17. Reading '/var/log/secure'

Reading '/var/log/secure'

The /var/log/secure log file shows failed login attempts. The command above shows how to read the output, and the output below shows several failed login attempts. Watch this file for attempted system hacking.

Figure 5.18. Typical Output of '/var/log/secure'

Typical Output of '/var/log/secure'

Additional SSH Configuration

There are several more configuration directives that can be applied to the SSH daemon that will secure it further. They won't be required for this course. If you want to apply them, see the section called "SSH Extras".

SSH Check Point

Send me an email stating that your web server is accessible by SSH.