SSH allows users to connect to a remote linux/unix operating system and access it as if they were using it directly. This allows you to work on your code/project from a remote location and not to worry about coping and pasting the changes made somewhere to another. With X window forwarding enabled, you can even run remote applications on your local machine, even if the machine is a windows PC.
Setup
By default, SSH is installed on your CentOS, but if it is not you can install it manually.
Note: all of the following commands require root privilege:
$su root
The most widely used SSH implementation is openssh which can be installed using this command:
$ yum install openssh
don’t worry if you don’t know whether or not SSH is installed on your system, the above command will detect if ssh is installed and it will ignore the request.
Configuration
To change the SSH settings, open up the following file (/etc/ssh/sshd_config) using a text editor. The easiest way to do this is using vim/vi since root privilege are required for this operation.
$ vim /etc/ssh/sshd_config
The file contains setting variables along with values First, we need to disable root access. What this means is that when using ssh to login to the computer you or anyone else shouldn’t be able to do root@mycomputer. So edit the following entry:
PermitRootLogin no
If you have specific users who are going to use ssh to login, add AllowUsers followed by the usernames, for example:
AllowUsers alice bob
For security reasons, change the default port from 22 to something else that is not being used by another process (for example do not use port 80, or 3433). To change the default port edit the following entry:
Port 4322
We are done with the ssh config file, so save and close it.
Al the last entry we changed the default port from 22 to 4322. Doing this would also require you to modify the Operating system firewall to allow access to port 4322. The firewall setting file is located at (/etc/sysconfig/iptables), so open it up using a text editor.
$ vim /etc/sysconfig/iptables
by default, port 22 is open on the firewall and the entry in the file that configures this is:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
so change the the number 22 to 4322 or any number you picked yourself.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 4322 -j ACCEPT
Now save and close the file.
Since we modified the ssh server and the firewall settings, we need to restart the two services (or daemons).
$ service iptables restart $ service sshd restart
if you have a router installed, read the rest of the steps.
Router Firewall
Your firewall is configured to ignore incoming packets. So we need to open up the new port 4322 and set it to route all the traffic to our PC using port forwarding.
First lets get the ip of the computer.
$ ifconfig
usually the first paragraph that starts with eth0, is the NIC your looking for. The IP should start with 192.168.xxx.xxx, in my case it is 192.168.1.3
Second go to your router page and find port forwarding page. Set the start and end ports to 4322 and the destination IP to the IP we found from last step, in my case this is 192.168.1.3. The specific steps are dependent on your router manufacturer.
X Window Forwarding
As I mentioned earlier, you can run remote application on your local PC without even installing the application. To enable this feature, open up the /etc/ssh/sshd_config file and look for the text X11Forwarding. Set the value corresponding to this parameter to yes then restart your sshd server. Then when issuing a ssh command pass the -X (capital X) parameter along to enable X11 forwarding.
ssh user@ssh-server-address -X
then run an application such as gedit to open it up on your local PC running from the remote computer.
Logging SSH activity
As an added security measure you can log your ssh activity if not enabled by default. Then you can use grep to see if any solicit activity has been happening or not.
To log ssh activity, you need to define the logging facility and the level of the log messages in the sshd_config file. open sshd_config (/etc/ssh/sshd_config) and look where it says “# Logging”. You can do a search in Vim by typing “/Logging” in command mode.
# Logging SyslogFacility AUTH or SyslogFacility AUTHPRIV LogLevel INFO
change the values to:
SyslogFacility LOCAL0 LogLevel VERBOSE
There are different log levels available to use, you can use “man sshd_config” to read about these different levels.
close and save, then open up the syslog config file (/etc/rsyslog.conf). Add the following line in the #RULES section. The Rules section will be the content under the #### RULES #### text.
# save sshd logs to a different file local0.* /var/log/sshd.log
if you look closely, you might find a line that says
# The authpriv file has restricted access. authpriv.* /var/log/secure
and the syslogfacility was using AUTHPRIV before so all sshd logs were written to this file.
with this setup, all sshd activity will be logged in the sshd.log file. but you need to restart both sshd and syslog services or changes to take effect.
sudo service rsyslog restart sudo service sshd restart
you can view the log in real time using tail with -f option.
tail -f /var/log/sshd.log
Other Resources
CentOS Wiki page for SSH: http://wiki.centos.org/HowTos/Network/SecuringSSH
Pingback: Setting up Git on CentOS | Garejoor