By default the SSH daemon listens on port 22 for incoming connections, meaning that in order to harden your server installation ever so slightly, you should switch out the default port 22 to something a little more obscure.
To do this is relatively easy. Simply open the the config file and change the Port declaration (which is right near the top of the file):
sudo nano /etc/ssh/sshd_config
After changing the value to something like 2211, save the file and exit.
now reload the service daemon with:
sudo reload ssh
Important, don’t yet log out of your current root SSH session! We first need to test if our change was successful. So launch up a new terminal and log in to your server using the new port number:
ssh -p 2211 firstname.lastname@example.org
If you successfully connect, great, you know your change was a success. You can further ease your mind by trying to SSH in via a new terminal using the old port number – this connection attempt should fail.
Now that you know the change has been made, you can log out of your initial root terminal window where you originally made the change.
SSH tunnels are useful beasts in that they allow you to communicate with machines and ports on a private network which are not directly accessible to the external world, by building a bridge between your local machine and a machine in the walled off network to which you happen to have SSH access to.
The diagram below shows you an example whereby to gain access to a Oracle server on Port 1521, you would first SSH into a linux box on the inside network and then create a SSH tunnel which would transport traffic between your machine and the Oracle server.
Another example could be if you have MySQL installed on your server but have cut off external access to the database server, leaving only SSH open. In this case, you would connect into the box via SSH and create a tunnel to the MySQL database server on localhost port 3306.
To create a SSH tunnel is fairly simple and can be created with this command:
ssh -f remote-server.net -p 22 -l myusername -L 3307:localhost:3306 -N
The line above first connects to remote-server.net via SSH on port 22 using the user name ‘myusername’, and then sets up a SSH tunnel connecting port 3307 on your local PC (i.e. 127.0.0.1) and hooking it up to port 3306 on the remote-server.net box itself. Of course you could have created a connection to any other box that remote-server.net has direct access to.
You should be prompted for a password when running this command. Note that the -f switch means that this process will be started in the background and the trailing -N instructs OpenSSH not to execute the command on the remote server.
I often need to pull down a copy of a live MySQL database instance for development work on my local machine. Because my access to bandwidth is limited, I need to come up with the most efficient way of achieving this, and my method for achieving this is chronicled below – mainly so that I can refer to it when I forget!
Anyway, the process is simple enough to explain. First, we ssh into the target server and we use mysqldump to create a SQL dump text file of the required MySQL database. Next, we compress it using the powerful 7-Zip to create a nice and compact 7z file. Exit ssh. To pull it down from the server, we use plain old scp and do a secure copy down to our local machine. Next we uncompress the newly copied 7z archive and once extracted, import it into our local MySQL server using the mysql command.
And a nice example for copy and paste purposes:
ssh #REMOTEUSERNAME#@#HOSTNAME# mysqldump -u #USERNAME# -p#PASSWORD# -c --add-drop-table --all --quick #DATABASE# > dump.sql 7za a -t7z -m0=lzma -mx=9 -mfb=64 -md=32m -ms=on dump.7z dump.sql exit scp -v -P #PORT# #REMOTEUSERNAME#@#HOSTNAME#:/home/server/dump.7z /home/craig/dumpscp.7z 7za e /home/craig/dumpscp.7z mysql -u #USERNAME# -p#PASSWORD# database < /home/craig/dump.sql
Being able to administer your Ubuntu servers remotely is one of the most important aspects when running your own server environment, which makes the extremely useful OpenSSH server package an almost critical part of your system after install.
Because it is not installed by default (though the option does form part of the installer process), it is pretty simple to enable afterwards.
Once you have finished your install and logged in, update your apt-get sources by entering:
sudo apt-get update
(If you don’t do this and try installing openssh-server directly, you’ll most likely encounter a “openssh-server has no install candidate” error. Try it for yourself if you don’t believe me)
Once this has completed updating your packages, install the OpenSSH server onto your system with:
sudo apt-get install openssh-server
You may want to further configure SSH access on your system (like change the default port for added security for example), which can be done by editing the config file at /etc/ssh/sshd_config and make the required changes (disabling root logins is also always a good idea).
Note, you can check if SSH has been installed and is running by running the following PS check:
ps -aef | grep sshd
The concept is simple. Bind one of your local machine’s port via a SSH connection to another box on the outside. For example:
ssh -N -L 3307:127.0.0.1:3306 userName@remoteHost &
The above is simply linking the remote machine’s MySQL server on port 3306 to your local machine’s port 3307. In other words, you can now connect to the MySQL server on the remote machine by connecting to localhost:3307.
Although port 21 is the default port used for SSH connections and thus SCP, most of the time you will find that in order to increase protection, the actual assigned port is far removed from the default 21. So how do you specify this when running a SCP copy operation?
Well SSH has the lowercase -p switch that allows you to specify which port to attempt to connect on, looking like this in practice:
ssh -p 6188 othermachine.com
However, SCP for some or other reason (most likely due to the prevalence of using -p as a password switch elsewhere in Linux) does not use the lowercase -p to specify port, opting rather to make use of a capital -P to specify the port to use.
This means your SCP call would look like this:
scp -P 6188 othermachine.com/file /home/file
And now you know. Nifty.
I make heavy use of WinSCP to transfer project files across to our production servers from my Windows development machine. Recently though, I needed to switch to my Ubuntu machine here at home to carry on with my development, and needed a quick replacement in order to easily get my files across to the live servers as I would with WinSCP – in other words something with a similar functionality and more importantly, a GUI.
Turns out Ubuntu comes standard with a great solution, one you might never have noticed to boot!
Access the Place menu option from you main System Menu. Near the middle you should see a menu item entitled “Connect to Server…”.
Clicking on this will bring up a server connection dialog. Select SSH connection from the dropdown list and fill in the necessary remote server details as required.
Connect and nautilus will then take over, displaying you a folder view of the files on the server. Next it is a matter of pressing F3 to load an extra pane to the view, and there you have it – a perfect side by side folder view that allows you to painlessly pull files across, just like you would have if using WinSCP!
SCP is a powerful utility that allows us to securely copy files between remote machines. What makes it even more powerful is the ability to add it to scripts and so for today’s quick tutorial I will walk you through how you can go about either copying files from or to a remote machine with the use of SCP.
Now normally when you copy files with SCP you will be prompted for the remote machine’s password in order to continue with the copy operation. However, obviously if we wish to script with SCP we will need to get around this restriction and so we take a quick dive into the of public key cryptography.
Basically what we are going to do now is generate a public/private key pair for your local machine which is going to run the SCP function and then hand out the public to the remote machine so that the two of them can communicate quite happily with one another.
To generate the key pair, enter:
ssh-keygen -t rsa
The machine will ask you to enter a file name in which to save the generated key – just hitting enter will force it to create the key file in its default spot. It will then ask for a passphrase, which you can happily skip by just pressing enter twice.
The system will then spit out its report and reveal to you the location where it saved the key file (which always ends .pub by the way)
You then need to put the generated key data into the ~/.ssh/authorized_keys file of the user which you will be ‘logging in’ as on the remote machine.
A simple way to do this is to use the ssh-copy-id function. Simply call:
ssh-copy-id -i ~/.ssh/id_rsa.pub username@host
Once done, you can test this by ssh’ing into the remote machine and checking the existence of the ~/.ssh/authorized_keys file.
Okay, and now we are ready for the actual SCP file copy bit!
To copy files to a remote machine, simply use:
scp -v /myfilestocopy username@host:/directorytosave
Alternatively, to pull down files from a remote machine, use:
scp -v username@host:/myfilestocopy /directorytosave
Note that the -v switch isn’t necessary – I just like seeing on the screen that something is actually happening!
And there you go, as simple as that. Nifty.
Related Link: http://www.howtogeek.com/
For the most part, the default port for SSH access into a Linux machine is 22. However, many people change this default in the name of security, meaning that for most of our function usage, we simply need to use the -p port number switch when trying to access with that remote machine.
However, interestingly enough, the -p switch was never bundled with the useful ssh-copy-id function, meaning that should you try something like this:
ssh-copy-id -p221 -i ~/.ssh/id_rsa.pub username@host
you will get a reply back reading: Bad port ‘umask 077; test -d .ssh || mkdir .ssh ‘ cat >> .ssh/authorized_keys’.
Not exactly encouraging.
However, there is actually a simply way to fix this and use ssh-copy-id when interacting with a non-default port 22 machine. Simply enclose your port declaration together with the host name within quotation marks!
So the correct usage would now look like this:
ssh-copy-id -i ~/.ssh/id_rsa.pub ‘-p 221 username@host’
And damn it, it actually works! Nice.