ClearOS Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


SSH Server

The SSH Server module allows for configuration of the Secure Shell Daemon service in ClearOS.

Installation

If your system does not have this app available, you can install it via the Marketplace.

You can find this feature in the menu system at the following location:

Network|Infrastructure|SSH Server

Configuration

You can customize the port, whether password authentication to SSH access is allowed, whether or not root is allowed to log in, and whether to allow for TCP forwarding.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=550&tok=2b2c62&media=content:en_us:ssh_best_practices-1.png

Disabling root Login

The root account is the most sought after and the most common account to try and hack. Disabling root login lets you still log in as regular users but then requires those users to switch user (su) or use privilege escallation (sudo) for all root commands on the system. This is considered best practice and we highly recommend it.

You can give users SSH access using the Shell Extension app.

Port

Changing the port is a good idea because hackers will know to try port 22 for SSH and it is typically the first place they try. If you change the port, be sure to select a port that is not in use by another protocol on the system. (Valid range theoretically range from 0-65535)

Password Authentication

By turning off password authentication you tell your system that you will use key based authentication. This is typically considered stronger authentication than passwords.

TCP Forwarding

TCP Forwarding allows you to use SSH as a gateway for other types of network traffic. It is a quasi-VPN and can make certain local traffic appear local to the machine attaching via SSH. If you are not using this, disable it.

Securing SSH

If you can avoid it, it is best not to open up external access to SSH. If you require external access, consider if it would be better to use OpenVPN to connect to ClearOS because you can then connect to SSH as if you were connected to the ClearOS LAN.

If you do open up SSH to external access from the internet, please see the Securing SSH in ClearOS - Best Practices Guide and install the Attack Detector app. Also consider using the Intrusion Detection and Intrusion Preventions apps.

A strong password is a must!

content/en_us/7_ug_ssh_server.txt · Last modified: 2018/09/24 06:17 by nickh

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3A7_ug_ssh_server&1544777761