How to Set Up SSH Server on Debian

Edited 3 days ago by ExtremeHow Editorial Team

DebianSSHNetworkingSecurityRemote AccessLinuxServerOpen SourceSystem AdministrationCLI

Secure Shell (SSH) is a popular network protocol that allows secure connections over unsecured networks. SSH provides a secure way to access remote computers and is essential for system administrators. Setting up an SSH server on Debian is a straightforward process, and this comprehensive guide will guide you through the steps to effectively configure an SSH server. We'll cover installation, configuration, security practices, and troubleshooting, as well as provide examples and explanations. This guide assumes you have a basic understanding of the terminal and superuser (root) privileges on your Debian system.

1. Understanding SSH and its importance

SSH stands for Secure Shell and is used to connect to remote machines in a secure manner. It replaces older protocols like Telnet and FTP, which are not secure as they transmit data including passwords in an unencrypted format. SSH encrypts the session, making it unreadable to any interfering entity. This encryption ensures the security and confidentiality of data transmission between the client and the server. SSH operates on port 22 by default and provides both authentication and command-line interface for secure communication.

2. Preparing the Debian system

Before setting up the SSH server, it is important to ensure that your Debian system is up-to-date to avoid any conflicts or problems during installation later. Log into your Debian server with superuser privileges and follow these steps:

sudo apt update
sudo apt upgrade

The above commands will get the latest information about the available packages, then upgrade the packages to the latest version. This ensures that all the prerequisites for SSH server installation are present.

3. Installing the OpenSSH server

On Debian, the OpenSSH package provides an SSH server and client. To install the OpenSSH server package, execute the following command:

sudo apt install -y openssh-server

-y option automatically answers 'yes' to all prompts, allowing a non-interactive installation. The OpenSSH server installation will start automatically and be enabled upon completion.

4. Verifying the SSH service

After installation, it is important to confirm that the SSH service is running as expected. To check the status of the SSH service, use the following command:

sudo systemctl status ssh

The output should indicate that the service is active and running. If it isn't, you can start the SSH service as follows:

sudo systemctl start ssh

Also, to make sure the SSH service starts after a reboot, enable it:

sudo systemctl enable ssh

5. Basic SSH configuration

The configuration file for the SSH server resides in /etc/ssh/sshd_config. It is recommended to create a backup of the original file before making changes:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Edit the configuration file with your favorite text editor, such as nano or vim:

sudo nano /etc/ssh/sshd_config

Some recommended configurations are as follows:

• Port number: By default, SSH listens on port 22. For security reasons, you can change the port number to something less common to avoid automated attacks. Look for Port 22 line and change it to a number above 1024 to avoid conflicts with well-known ports.
• Allow root login: Direct root login over SSH is risky. For better security, disable root login. Set PermitRootLogin directive to no.
• Password authentication: For increased security, consider using SSH keys instead of password login. Set PasswordAuthentication to no after setting up key-based authentication.

After making the changes, save the file and exit the editor. To apply the changes, restart the SSH service:

sudo systemctl restart ssh

6. Setting up SSH key-based authentication

SSH keys provide a more secure way to log in to an SSH server than using a password. SSH keys are essentially two files: a public key and a private key. The private key lives on your machine and must be kept secure, while the public key is kept on the server. Here's how to set up SSH key-based authentication:

6.1. Generating an SSH key pair

On the client machine (your local machine), generate SSH keys using the following:

ssh-keygen -t rsa -b 4096

This command generates a 4096-bit RSA key pair. You will be asked to enter a file name to save the keys. Press enter to store them in the default location (~/.ssh/id_rsa for private and ~/.ssh/id_rsa.pub for public).

6.2. Copying the public key to the server

Upload the public key to the Debian server using ssh-copy-id command. Replace user and server_ip with your username and the server's IP address, respectively:

ssh-copy-id user@server_ip

It will ask you for your server password. Once entered, it will copy the public key to the server's ~/.ssh/authorized_keys and set the appropriate permissions.

6.3. Verifying SSH key-based authentication

Test the SSH connection to confirm that key-based authentication works. Execute:

ssh user@server_ip

If successful, you will be logged in without a password prompt, indicating proper key-based authentication. If you are confident that key-based authentication is working, you can now disable password authentication in /etc/ssh/sshd_config by setting PasswordAuthentication no.

7. Enhancing SSH security

Improving SSH server security involves configuring settings that reduce potential risks. Here are several steps to further secure your SSH server:

7.1. Limiting user access

Use AllowUsers or AllowGroups directives in sshd_config to determine which users can log in over SSH. For example, to allow only user1 and user2 to log in via SSH, add:

AllowUsers user1 user2

7.2. Disabling SSH Protocol 1

SSH protocol 1 is outdated and has vulnerabilities. Always use protocol 2:

Protocol 2

7.3. Controlling SSH access with a firewall

Set firewall rules to allow SSH access only from trusted IP addresses. With ufw, add a rule like this:

sudo ufw allow from trusted_ip to any port ssh

7.4. Configuring Fail2Ban

Fail2Ban is an intrusion prevention software that helps protect your server from brute-force attacks. Install it like this:

sudo apt install fail2ban

By default, it automatically configures itself to protect SSH. Make sure it is running and enabled:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

8. Troubleshoot common SSH issues

It is not uncommon to encounter problems with SSH. Below are some common problems and their possible solutions.

8.1. SSH connection refused

If you receive a 'Connection refused' error, the SSH service may not be running, or a firewall may be blocking the connection. Verify that SSH is enabled:

sudo systemctl status ssh

Make sure your firewall is configured to allow connections on SSH port 22 or the port you configured.

8.2. Authentication failures

If you can't authenticate, double-check your permissions. Make sure authorized_keys exists, is readable, and is owned by the user.

chmod 600 ~/.ssh/authorized_keys
chown user:user ~/.ssh/authorized_keys

The SSH server logs more detailed information in /var/log/auth.log. Inspecting this file often helps to diagnose problems.

Conclusion

Setting up an SSH server on Debian is an essential task to ensure secure remote administration of your system. This guide covers the important aspects of SSH setup, focusing on installation, configuration, and securing your SSH server from unauthorized access. Always keep your server updated, limit user privileges, and implement security measures such as firewalls and intrusion prevention systems to strengthen your server's security. Proper SSH security practices are crucial to maintaining a secure, efficient, and reliable server environment.

  Share This Article

If you find anything wrong with the article content, you can request an update