How do I configure a new Ubuntu installation to accept ssh connections?

  • I just installed Ubuntu. How do I set it up to allow me to ssh into it?

    Right now I get "ssh: connect to host x.x.x.x port 22: Operation timed out".

  • Oli

    Oli Correct answer

    9 years ago
    sudo apt update
    sudo apt install ssh
    sudo ufw allow 22      # if you have ufw running, but it doesn't hurt to run.

    That's the very minimum. It allows unlimited failed password attempts on a known port. Direct root-login is disabled (you can still su and sudo once logged in). If your username and password are guessable and the Internet can see the server, somebody will eventually break in.

    I can't stress this enough: You need to harden the default setup. You essentially trade convenience for the likelihood of being hacked but I've gone through several suggestions on my blog. At the very least, I'd suggest:

    • Key-based logins. Disable password logins.
    • Move it off port 22. Use something crazy-high, in the 20000-60000 range.
    • Use fail2ban to ban people who do find it and try to brute it.

    It'll take you less than 10 minutes and they take youfrom a 1/10000 chance of being broken in-to a probability so small, there isn't enough paper in the world to write its fraction. All assuming you're careful with your key, it has a passphrase of its own and you don't trumpet your credentials all over the net.

    In terms of accessing this SSH server from the Internet, you may be facing local networking obstacles. If the computer is behind a NAT router (eg most home networks) without direct incoming access from the internet, you may need to look at port forwarding. Obviously if you don't need access outside the network, skipping this step will aide network security.

    Depending on your instance, you may not need sudo ufw allow 22. For example, I've got a simple VirtualBox Ubuntu-Server instance up, with Bridged Networking on a Windows host (for simple dev needs) - no need for opening port 22 (already open), no need for hardening that would potentially close 22, no need to use different port.

    @Oli - Can you exttend a bit on how fail2ban works? Do you just install it and it automagically starts a daemon for you or does it need configuration?

    @Matteo It ships with some defaults for common services (like SSH). In this case, unless you've made serious changes to where your logs are kept, just installing it should be enough.

    Just FYI `sudo apt-get install ssh` seems to be the same thing as `openssh-server`

    Hi Oli, it appears that the blog post now is outdated (the sed commands no longer work).

    You describe how to install the server although the question is how to set it up. Could you update your answer with more details? I have an Ubuntu running from USB stick and it seems the current user is "ubuntu" and password is empty. But I cannot connect with that. How do I set the SSH password for the SSH server? What is the default password of the SSH server after installation? These very important details are missing in your answer. Knoppix is more intelligent. It comes with SSH server already installed and asks me for the SSH password when I start the server.

    @Elmue Knoppix is designed to be run long-term from Live, Ubuntu isn't. You can do a proper install to USB, or whatever, but yeah, use things how they're supposed to be used. Ubuntu's default configuration requires a password for SSH. You can either bodge the config (see `man sshd_config`) or set a password on the Live account with `passwd`.

    @Sridhar-Sarnobat, The `ssh` package is described as the metapackage for both the secure shell client and secure shell server so if you install it you get both dependencies installed. However, the client is already installed in Ubuntu by default so you probably only need to install the server.

    @Oli, for mobile client devices that face a higher probability of being lost or stolen do you still feel this way about key-based authentication?

    @Oli note that although an unlimited number of failed password login attempts may be permitted, the rate at which they can happen is slow in practice. If I recall correctly a small number of failed password logins can be attempted in a short period of time and then there will be a delay before it can be tried again. For a system with a large number of "casual" users this defense is inadequate but otherwise (for example where the system has exactly one user) it will drastically reduce the probability of a successful brute force entry.

    Port forwarding increases risk and is unnecessary if all users are on the local subnet, for example, within the same building. A transactional application might require port forwarding but some project applications might never require it.

    @H2ONaCl 1: ssh keys can be revoked, replaced. They can also be hardened with a second and third factor (eg passphrase on the key plus out-of-band yubikey) if you need the additional security. 2: That's why I suggest fail2ban. 3: That's why it's a footnote, not part of the main instructions... But I'll edit.

    This helped for me. Thanks a ton :-)

  • Installing the openssh-server package which is available from the Software Center will provide the server element to allow a client such as another ubuntu desktop to achieve a secure connection to a 'server' such as your VM.

    The ubuntu community has an excellent guide about SSH, OpenSSH-Server and how to configure it in a secure manner.

  • I just wanted to add that you need to make sure you have picked the correct WAN interface, if your modem/router support multiple WAN interfaces.

    I have a Billion BiPAC 7800NXL which has 3 possible WAN ports (DSL, ETH and 3G). When you create a new forwards (called a "Virtual Server" in this router), the 7800NXL always defaults to the DSL WAN interface, even though I only use the Ethernet WAN interface.

    I had all the ports set up correctly, but my forward was configured to use DSL, so it didn't work. As soon as I created a new forward for the ETH WAN interface, it worked.

  • Configure SSH Services or Enable SSH Server services on Ubuntu server:

    For install or configure SSH on Ubuntu first you need to install SSH packages on Ubuntu server so you next you able to take your virtual machine on your host system via Putty or other SSH login patch...

    first you need to install SSH package on Ubuntu so run this command

    #sudo apt-get install openssh-server

    some time you guyzz got some errors while installing or add this package on your server like..

    CDROM Error while install package SSH so for resolve this issue you can you my another shortcut available on Mounting CDROM Finally after mounting this CDROM on Ubuntu server you now easly install SSH service by below command

    #sudo apt-get install openssh-server

    This package install now and during installation ask for yes / no ans then hit YES...

    Finally the SSH package install on Ubuntu sever then restart the SSH services by following command..

    #sudo service ssh restart
    ---OR type---
    #sudo service ssh start

    Then BooM your SSH have install and start SuccessFully... now open Putty from your local host machine and type your VM IP there Putty Login And BOOM you able to login your VM server trough host machine Putty SSH...

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM