CentOS / RHEL : Install and Configure OpenSSH Server and Client

Introduction

OpenSSH (Secure Shell) is a suite of network connectivity tools that provides secure communications between systems. OpenSSH tools include the following:

  • ssh: Secure shell logs on or runs a command on a remote system
  • scp: Secure copy
  • sftp: Secure ftp (file transfer protocol)
  • sshd: The OpenSSH daemon
  • ssh-keygen: Creates ECDSA(Elliptic Curve Digital Signature Algorithm) or RSA(named for the designers Rivest, Shamir, and Adleman) host/user authentication keys:

Unlike other tools such as telnet, rcp, rsh, rlogin, and ftp, OpenSSH tools encrypt all communication between the client and server systems, including passwords. Each network packet is encrypted by using a key known only by the local and remote systems.

OpenSSH supports both versions of SSH, SSH protocol version 1 (SSH1) and SSH protocol version 2 (SSH2). Additionally, OpenSSH provides a secure means to use graphical applications over a network by using X11 forwarding. It also provides a way to secure otherwise insecure TCP/IP protocols by using port forwarding.

 

I- install OpenSSH Server

1. To begin configuring a system as an OpenSSH server, install the following packages (these are installed by default):

# yum install openssh
# yum install openssh-server

2. Start the sshd daemon:

# systemctl start sshd

3. Use the systemctl command to automatically start the sshd service at boot time:

# systemctl enable sshd
II- Configure OpenSSH Server
Properly configuring the sshd configuration file hardens server security. The most common settings to enhance security are changing the port number, disabling root logins, and limiting access to only certain users.

To edit these settings access the /etc/ssh/sshd_config file:

sudo vim /etc/ssh/sshd_config

Once you access the file by using a text editor (in this example we used vim), you can disable root logins and edit the default port number:

  • To disable root login:

PermitRootLogin no

  • Change the SSH port to run on a non-standard port. For example:

Port 2002

Settings in sshd config file of port 2002

Remember to uncomment the lines that you edit by removing the hashtag.

Save and close the file. Restart sshd:

service sshd restart

 

FIREWALL SETTINGS

After successfully enabling SSH and configuring the sshd file, adjust the firewall settings to make sure there are no compatibility issues.

It is also possible to restrict IP access to make the connection even more secure.

To restrict IP access, edit the iptables file by typing:

sudo vim /etc/sysconfig/iptables

To allow access using the port defined in the sshd config file, add the following line to the iptables file:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2002 -j ACCEPT

To restrict access to a specific IP, for example 133.123.40.166, edit the line as follows:

-A RH-Firewall-1-INPUT -s 133.123.40.166 -m state --state NEW -p tcp --dport 2002 -j ACCEPT

example of setting up firewall rules

If your site uses IPv6, and you are editing ip6tables, use the line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2002 -j ACCEPT

Save and exit the file by pressing Escape (Esc) on your keyboard and typing:

:X

Press Enter to confirm.

Restart iptables to apply the changes:

sudo systemctl restart iptables

 

iii- ConfigurE OpenSSH Client

1. To configure a system as an OpenSSH client, install the following packages (these are installed by default):

# yum install openssh
# yum install openssh-clients

2. There are no services to start for OpenSSH clients.

CONCLUSION

In this tutorial, we learned how to enable SSH on a CentOS 7 server. Additionally, we configured your firewall and SSH rules to limit access.

Your CentOS 7 server is now able to accept SSH connections.