There are few features that are not available out of the box in Ubuntu. One such feature is SSH. If you ever install Ubuntu on your machine and expect the ssh to work by default, it doesn’t. You would get an error message that says ‘The remote system refused the connection’
Also if you try to open winscp on your local machine and tried to access the Ubuntu that wont work either.
You will get Network error, connection refused.
Even when you try to transfer the file using the SCP command, it will still not work and throw the same error message that says connection refused lost connection, because SCP also use the same ssh port number 22.
And for me, being from the network background I really needed this ssh access as well as I should have the ability to transfer data over SCP.
In this blog, we are going to enable ssh access on Ubuntu, and secure the ssh access. By doing that SCP access also will be enabled for the users.
- You must have Ubuntu machine installed with root access.
- Internet access.
What is SSH ?
An SSH (secure socket shell) is a protocol that will let you connect to remote hosts’ command-line interface securely. Since it is encrypted no one can read the data between the SSH server and the client. The default port that is used by the SSH is 22.
Can I use Telnet instead of SSH?
Yes of course you can, but the problem would be if anyone tried to access the session between the telnet client and the server, then they can easily read the data inside the session. As the communication happens in cleartext format and there is no encryption in place.
In case if you wanted to install telnet along with the SSH you can enter the command below.
sudo apt-get install telnetd -y
Is SSH enabled by default on Ubuntu?
The SSH service is not enabled on Ubuntu desktop by default. However, when you install the Ubuntu server, you would get an option to install the OpenSSH service during the installation and if you do not choose that option, the ssh service will not be enabled.
You can follow the steps here to install the ssh service on the Ubuntu machine.
We are using Ubuntu version 20.10 for this lab, if you have older version of Ubuntu such as 20.04, 19.10, 19.04, 18.10, 18.04. The steps mentioned here would work just fine.
Steps to enable SSH access on Ubuntu.
- Verify the SSH service installed or not.
- Install OpenSSH service on Ubuntu.
- Check the SSH service status.
- Start ssh on boot ubuntu.
- Verify the ssh access from localhost.
- Verify the ssh access from the remote.
- Secure the SSH access.
- Verify the SCP access.
To enable SSH service on the Ubuntu machine you will have to download and install the utility called OpenSSH service on your Ubuntu machine. Let’s go ahead and install the OpenSSH utility on my Ubuntu machine.
1. Verify the SSH service installed or not.
When you get the error message that says remote system refused the connection, which doesnt mean the ssh service is not installed on the machine. It could also means that the ssh service may be blocking the connection.
You can check the status by typing service ssh status or systemctl status ssh.
As you can see, in my case the ssh service is not installed so let’s go ahead and install the ssh service on Ubuntu.
Note: If you have already installed the ssh service, then you dont have to install the service again.
2. Install OpenSSH service on Ubuntu.
Log in to the terminal and enter the below commands to install the OpenSSH service on your ubuntu machine.
sudo apt update sudo apt install openssh-server -y
3. Check the SSH service status.
Once the installation is completed the Openssh service would start automatically. Let’s quickly check the status of ssh service on the machine now by running the command
service ssh status.
As you can see the ssh service not only installed, it has also been started automatically.
At any point, if the ssh service has not started you can enter the command
service ssh start to start the service.
To stop the service type
service ssh stop and you can also restart the services by typing
service ssh restart just like how you would manage any other services in Linux.
Similar to the above, you can also check the ssh service status by typing the command
systemctl status ssh.
4. Start ssh on boot ubuntu.
You also need to make sure the SSH service starts during the boot.
If you don’t do that, next time when the system reboots and when you try to access the Ubuntu machine you cannot get in and it will throw an error saying connection refused.
The problem is the SSH service wouldn’t have started during the boot.
To enable the ssh service on ubuntu boot, you may enter the command
sudo systemctl enable ssh.
[email protected]:~$ sudo systemctl enable ssh [sudo] password for saif: Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable ssh [email protected]:~$
5. Verify the ssh access from localhost.
To verify the SSH access you can do the SSH to the same ubuntu host by typing ssh localhost
As you can see, I was able to ssh into the ubuntu localhost using ssh.
This means, the ssh service is working and you are able to ssh from your local machine.
6. Verify the ssh access from the remote.
Now lets go to any remote host and try to ssh again, this time of course you have to use the IP address of the Ubuntu host.
Type IP addr and get the IP address, first make sure you are able to reach the remote IP by pinging the IP.
Yes, we are able to reach the ubuntu host from the remote machines.
By this point you should be able to access the Ubuntu host via SSH. Read on to secure the SSH access and test the SCP connection.
7. Secure the SSH access.
We are able to access the ssh and it works just fine. Next, let’s take a look at how you can secure ssh access.
We can secure the ssh access multiple ways, and we are looking into two options here. First, change the default ssh port number from 22 to something different.
Second, Allow only specific users to the ssh, let’s see how we can achieve that.
If you wanted to tighten the security more, you can even allow the only a specific IP address to be able to ssh into the host, we are not going to do that here.
a. Change the default SSH port number.
Changing the default ssh port number is very easy, you have to open the ssh configuration file and replace the port number 22 to different one.
The ssh configuration file is located in /etc/ssh/sshd_config
Edit the configuration file using an ubuntu editor nano.
sudo nano /etc/ssh/sshd_config
You should be able to see the port 22 is commented, you have to uncomment that line and change the port number.
For this test, I am using the port number 2222.
After you made the change, go ahead and restart the ssh service in Ubuntu.
The current session would continue even if you change the port number and restart the services. You can now exit out of the current session and try to ssh again.
As you can see, when I tried to ssh again, it didn’t let me in.
That’s because by default the ssh service would start the session with the port number 22. So anytime when you wanted to ssh into this box, you will have to manually add the ssh port number before you proceed.
To manually enter the ssh port number, you can type -p and the port number in windows as well as in linux.
for example ssh [email protected] -p 2222
And we are able to ssh into the Ubuntu machine successfully this time after modified the port number.
b. Restrict the access to specific users.
To restrict the access to specific users in Ubuntu you can add a line that says Allowusers and the username.
For eg: Allowusers user1
After you made the change, you can go ahead and restart the ssh service.
Try to ssh with the old username and see if you can still access the system via ssh.
I have tried to ssh and it prompted me for the password three times and it failed, though I enterered the currecct credentails.
Which means we restricted the access on the user level.
How do I allow the old user again?
You can add the old username to the allow list. Just below the allowusers line you can add the same line, but this time with the old username.
If you have multiple users, you can keep adding the usernames in here.
As soon as I made the changes and restarted the ssh services, I am now able to to authenticate using the my old username.
8. Verify the SCP access.
Now open the WinSCP and try to access the Ubuntu machine, and you should be able to access it.
Note : Remember to put the port number 2222 while accessing it.
I am also able to transfer files using SCP on CLI.