In this article we will be going over how to install and enable SSH on an Ubuntu server. We’ll also cover how to secure your servers SSH access further with some basic port changes and firewall configuration adjustments.
What is SSH?
SSH (Secure Shell Protocol), is a popular way of making a secure connections to remote Linux servers and is an overall essential tool for Linux administration.
Once access is gained by a user on a remote server using SSH, the user is then able to carry out any tasks on that remote machine using the command line interface. These tasks can include editing or copying files, software installations, database administration and more.
How does SSH work?
When you first make an SSH connection to a remote machine there are a pair of secure keys created by the host server (public and private keys). The server will send one of these keys (public key) back to the user’s local machine and the other key (private key) will be kept on the server.
Once a connection is initiated from your local machine to a remote server using SSH, the connecting client will create a session key based off the public key the server provided previously. The server will then take this session key and decrypt it against the private key kept on the remote server which is paired with your public key.
If the decryption on that session key is a success then the connection is complete and you’ve been authenticated for access on the remote server from your local machine.
In this article we will be going over how to install OpenSSH server which is an open source version of SSH and will allow us to remote access our Ubuntu system.
Note: All the below commands in this guide are shown running as ‘root’ which is the admin user in Linux. If you do not have access as the root user and instead have access as a user with sudo privileges, you will just need to add ‘sudo’ in before each command (as shown at the end of step 1).
How to enable SSH on Ubuntu?
1. Update the Ubuntu server
Before installing SSH we will first want to run a quick update on the Ubuntu system to prepare for the openssh server package install. To update Ubuntu you would enter in the following command:
$ apt update -y
As mentioned prior, if you cannot run this as the root user but have a user with sudo privileges, use ‘sudo’ in the beginning of each command such as below:
$ sudo apt update -y
2. Install OpenSSH server (SSH):
Now that our Ubuntu system packages are up to date we can begin the installation of SSH (OpenSSH server):
3. Enable SSH on boot
Now in the next steps we’ll begin to configure ssh. We will first make sure SSH starts up on boot by enabling it with systemctl. Use the following command to enable the SSH service to run on boot:
4. Verify the service is running:
Now that we’ve installed SSH, we should verify the service is running. To verify the service status of SSH you can enter in the following command:
We should see the following output as shown below after using ‘sudo systemctl status ssh’ or ‘systemctl status ssh’ which indicates the service is running and the install of ssh on Ubuntu is complete.
5. Check the ufw firewall on Ubuntu
Ubuntu comes default with the ufw firewall and we need to check to see if it is enabled since it is always best to have a firewall active for added security. After confirming it is enabled we’re then able to allow SSH within the firewall configuration.
Enter in the following command and press enter to verify if the ufw firewall is enabled:
$ ufw status
If the ‘ufw status’ command returns with “inactive” move onto step 6, if it returns with “active” move onto step 7
6. Enable the ufw firewall on Ubuntu
Use the following command to enable the ufw firewall in Ubuntu:
$ ufw enable
Check status once more using the same ‘ufw status’ command as above and we will see it shown as active.
7. Allow SSH connections within the ufw firewall on Ubuntu
Once confirmed the ufw firewall is enabled we can allow SSH connections within the firewall configuration using the following command:
$ ufw allow ssh
Now the ssh installation is complete and we can access our remote machine! To test your connection enter in the following command using your specific username and IP address:
$ ssh [email protected]
There is still important work to be done so that our remote server is more secure now that SSH has been enabled. It is always suggested to change your SSH port to something other than the default port 22. Moving onto the next steps will explain how this is accomplished.
Why change the default port number for SSH?
By default SSH connections on Linux systems is port 22. This poses a security risk with the default port number being public knowledge. For proper security measures it is strongly recommended to change this to something else which is not used by another service.
How to change the port number for SSH on Ubuntu?
1. Access the SSH configuration file
First thing we will do is open our SSH configuration file using your favorite linux file edit command.
In this example we will be using vim for accessing. Enter in the following command and press enter:
2. Update the SSH Port within the configuration file:
Once the configuration file is open scroll down until you see ‘Port’ which is likely commented out with a # symbol (shown below):
As shown above the line for ‘Port’ is commented with a # out since it is default as 22. Edit this line by removing the # at the beginning and change Port 22 to Port 522 (as example):
Once you’ve updated the port number here save and close the file.
3. Update ufw firewall so the new SSH port can be used:
Now we just need to update the ufw firewall so this port change can be completed. You can open the new SSH port with the following command:
$ ufw allow 522/tcp
Previously we had port 22 enabled for SSH, now that this has been changed we’ll need to remove the firewall rule for port 22 so only port 522 can be used for connections.
Enter in the following command to remove the old firewall rule for ssh:
$ ufw delete allow 22/tcp
4. Restart the SSH service
For changes to take effect you’ll need to restart the SSH service. You can do so with the following systemctl command:
$ systemctl restart sshd
6. Verify your work by testing a connection to the server IP address
Now we need to verify our work by testing a connection to the remote host. We’ll do so by using the new port and our servers IP address.
Open a separate terminal window and test a connection to verify the port change was completed successfully. It is important to leave the original terminal open in case you missed any steps and the connection fails:
$ ssh [email protected] -p522
If your connection was a success congratulations!
You’ve completed installing ssh on Ubuntu and are now ready to remote access your server using the secure shell protocol and non default ssh port.
Leave a Reply