User Tools

Site Tools


ubuntu:ssh:configuring_sshd

Ubuntu - SSH - Configuring sshd

First, make a backup of your sshd_config file by copying it to your home directory, or by making a read-only copy in /etc/ssh by doing:“

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
sudo chmod a-w /etc/ssh/sshd_config.factory-defaults

Disable logins for the **root** user, only allow login for the core user and disable password based authentication.

permissions: 0600 owner: root:root

/etc/ssh/sshd_config
# Use most defaults for sshd configuration.
UsePrivilegeSeparation sandbox
Subsystem sftp internal-sftp
 
PermitRootLogin no
AllowUsers core
PasswordAuthentication no
ChallengeResponseAuthentication no

Changing the sshd port

With socket-activated SSH by default. The configuration for this can be found at /usr/lib/systemd/system/sshd.socket.

/usr/lib/systemd/system/sshd.socket
[Socket]
ListenStream=2222
FreeBind=true
Accept=yes

sshd will now listen only on port 2222 on all interfaces when the system is built.

Multiple ListenStream lines can be specified, in which case sshd will listen on all the specified sockets:

/usr/lib/systemd/system/sshd.socket
[Socket]
ListenStream=2222
ListenStream=10.20.30.40:2223
FreeBind=true

sshd will now listen to port 2222 on all configured addresses, and port 2223 on 10.20.30.40.

The complete contents of /etc/systemd/system/sshd.socket would now be:

/etc/systemd/system/sshd.socket
[Unit]
Description=OpenSSH Server Socket
Conflicts=sshd.service
 
[Socket]
ListenStream=2222
ListenStream=10.20.30.40:2223
FreeBind=true
Accept=yes
 
[Install]
WantedBy=sockets.target

Activating changes

After the edited file is written to disk, you can activate it without rebooting with:

sudo systemctl daemon-reload

We now see that systemd is listening on the new sockets:

systemctl status sshd.socket

Returns

● sshd.socket - OpenSSH Server Socket
   Loaded: loaded (/etc/systemd/system/sshd.socket; disabled; vendor preset: disabled)
   Active: active (listening) since Wed 2015-10-14 21:04:31 UTC; 2min 45s ago
   Listen: [::]:2222 (Stream)
           10.20.30.40:2223 (Stream)
 Accepted: 1; Connected: 0
...

And if we attempt to connect to port 22 on our public IP, the connection is rejected, but port 2222 works:

ssh core@[public IP]
ssh: connect to host [public IP] port 22: Connection refused
$ ssh -p 2222 core@[public IP]
Enter passphrase for key '/home/user/.ssh/id_rsa':
ubuntu/ssh/configuring_sshd.txt · Last modified: 2020/07/15 09:30 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki