--- title: 'Setting up SSH Server via Windows Ubuntu 18.04' disqus: hackmd --- Setting up SSH Server via Windows Ubuntu 18.04 === https://www.youtube.com/watch?v=vpk_1gldOAE&t=462s    ## Table of Contents [TOC] Establishing Server and Keys --- **Download SSHD** ```bash $ sudo apt install openssh-server ``` **Get Key** ```bash $ sudo /usr/bin/ssh-keygen -A ``` **Enhance with Key Pairs** [Bitfumes](https://www.youtube.com/watch?v=y2SWzw9D4RA) Intro to Keys, Asymmetrical Encryption (Private: decrypts key, Public: with encrypting function made by SSH server) [Risan Bagja Pradana](https://medium.com/risan/upgrade-your-ssh-key-to-ed25519-c6e8d60d3c54) Overview of the ed25519 encryption. *Generate* ```bash $ ssh-keygen -t rsa -b 4096 ``` > [name=`-o` specifies OpenSSH format] > [name= `-a` specify KDF rounds (resist brute force)] > [name= `-t` type of key to create] *Copy PubKey* ```bash $ cp ~/.ssh/id_rsa.pub <desire folder> ``` All you have to do is copy the key and place/configure it to a remote system physically and not calling it via internet command. This will prompt `passphrase` created earlier for that key. **Set `authorized_keys`** https://askubuntu.com/questions/466549/bash-home-user-ssh-authorized-keys-no-such-file-or-directory ```bash $ chmod 700 ~/.ssh $ touch ~/.ssh/authorized_keys $ chmod 600 ~/.ssh/authorized_keys $ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys ``` Doing the above allows the keys to be accepted by system. **Change Default Port** [Idan Cohen](https://hostadvice.com/how-to/how-to-change-your-ssh-port-from-the-default-for-security/) Port Guide > [name=Dynamic/private ports: 49152-65535] ```bash $ sudo nano /etc/ssh/sshd_config #Port 22 #to Port <range: 49152-65535> PubkeyAuthentication yes PasswordAuthentication no ``` > [name=change ports in the range] Configuring Server (More Secure; Optional) --- This is probably one of the things beginners forget, and should pay close attention to instead of depending on the default settings. [Goran Jevtic](https://phoenixnap.com/kb/linux-ssh-security) **Disable Root Login SSH** No one has root access. ```bash $ nano /etc/ssh/sshd_config ... PermitRootLogin_yes > PermitRootLogin_no AllowUsers <your user name> ``` **Disable Password-Login** Using *keys only* (thus preventing key copy remotely, physical transfer required). ```bash $ sudo nano /etc/ssh/sshd_config ... PasswordAuthentication yes > PasswordAuthentication no ``` **Restrict SSH Access (iptables)** Limit/permit traffic. Basically whitelists devices. ```bash $ sudo iptables -A <inputIP> -p tcp -s <host address> -dport <your port> -j ACCEPT ``` > [name= `-j` whitelists IP] Configure Router-SSH-Access ``(from remote)`` --- **Open Port via Windows Firewall** **Add** in your `port number` from config on windows firewall **Open Port via Router/Port-Forwarding** **Use** `TCP protocol`, then find your `computer's IP address(ipv4)` and place `port number` to open in `PortForwarding option` in `Router` configuration. **Find Router IP** ipchicken.com >[name=write this down, you'll need it] **Have pub/priv key ready** *You must have this copy and transported to remote computer to its `.ssh` directory. This will then be used to authenticate without having to pull it from the remote server, which is extra safe.* Requirements for `Termius`. * `ID Name (keyname)` * `.pub` * `<private key>` **Enter to Access** ```bash $ ssh -p <port number> <user>@<router IP> ``` >[name=will prompt `passphrase`] Start Server `(Server-side)` --- **Start SSHD** ```bash $ sudo service ssh restart $ sudo service ssh start ``` Connecting to Server `(Remote Side)` --- I use a program called `Termius` because it's such a great app that can SSH through multiple devices. I can start a jupyter notebook on iPad because it's connected remotely, and accessible on browser. **Bash/Unix** Copy keys to `.ssh` **Juno Connect** ###### tags: `Templates` `Documentation`