{"id":15051025,"url":"https://github.com/rsc86/docu-openssh-setup","last_synced_at":"2026-01-02T05:20:13.241Z","repository":{"id":218697447,"uuid":"747126921","full_name":"rsc86/Docu-OpenSSH-Setup","owner":"rsc86","description":"Documentation how to setup Open SSH-Server and Client with Debian 11 \"bullseye\"","archived":false,"fork":false,"pushed_at":"2024-01-25T18:00:12.000Z","size":19,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-20T21:52:36.963Z","etag":null,"topics":["bullseye","debian-linux","documentation","openssh","openssh-client","openssh-server"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rsc86.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2024-01-23T10:15:56.000Z","updated_at":"2024-01-23T13:51:39.000Z","dependencies_parsed_at":"2024-01-25T19:26:01.282Z","dependency_job_id":"87a2bf38-9310-4213-98e4-3f6763c32861","html_url":"https://github.com/rsc86/Docu-OpenSSH-Setup","commit_stats":null,"previous_names":["rsc86/documentation-open-ssh-setup","rsc86/docu-openssh-setup"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rsc86%2FDocu-OpenSSH-Setup","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rsc86%2FDocu-OpenSSH-Setup/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rsc86%2FDocu-OpenSSH-Setup/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rsc86%2FDocu-OpenSSH-Setup/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rsc86","download_url":"https://codeload.github.com/rsc86/Docu-OpenSSH-Setup/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243513303,"owners_count":20302924,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bullseye","debian-linux","documentation","openssh","openssh-client","openssh-server"],"created_at":"2024-09-24T21:30:32.516Z","updated_at":"2026-01-02T05:20:13.216Z","avatar_url":"https://github.com/rsc86.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Documentation-Open-SSH-Setup \nhttps://wiki.debian.org/SSH\n* **Use** SSHv2 -\u003e Set \"Protocol 2\" in the sshd config file\n* Do **NOT** allow password login -\u003e *use SSH Keys.*\n* Do **NOT** allow root login. -\u003e *create a user with sudo privileges.*\n* All changes made to the config file need \"systemctl reload sshd\" to force the configuration to be reloaded.\n\n## Get help\n* man ssh\n* man sshd\n* man sshd_config\n  \n## Preparation\n```\nsudo apt update \u0026\u0026 sudo apt upgrade --show-upgraded\n```\n## Installation\n\n### Server:\n```\nsudo apt install openssh-server\n```\n### Client\n```\nsudo apt install openssh-client\n```\n\n## Configuration\n\n### Create a new user on your SSH server\nhttps://manpages.debian.org/bullseye/passwd/useradd.8.en.html\nhttps://wiki.debian.org/sudo\n```\nsudo useradd sshuser\nsudo passwd donotforget2changethis\nsudo echo 'sshuser ALL=(ALL) ALL' \u003e\u003e /etc/sudoers\n```\nCheck that you can switch to the root user with ```sudo su```\n```\nvi /etc/ssh/sshd_config\n```\n#### Controlling Root Logins\nChange \"#PermitRootLogin yes\" to \"PermitRootLogin no\" then restart the ssh-server.\nYou could allow root to login with key with \"PermitRootLogin without-password\" to only allow login with a key instead if you need.\n\n#### Controlling SSH access\n* Allow access:\n  * by user: Add \"AllowUsers user1 uer2 userN\" in the config file.\n  * by group: Add \"AllowGroups group1 group2 groupN\" in the config file.\n* Deny access:\n  * by user: Add \"DenyUsers user1 uer2 userN\" in the config file.\n  * by group: Add \"DenyGroups group1 group2 groupN\" in the config file.\n\n#### Disable TCP Port Forwarding\nAdd \"AllowTcpForwading no\" to the config file to prevent security issues.\nOr at least add \"GatewayPorts no\" if you need Port forwading. This setting blocks remote requests to the forwarded ports.\nUse a local firewall on the host to deny access to unused ports.\n\n##### SSH Port Forwarding\nYou can port forwarding if you need access to a port that is only listening to the local loopback address of the host.\nThat way you can use a client on your local machine to send encrypterd requests with the apropiate port through the ssh conection to the host server.\nThe downside is that there is a reason the host has configured the port only to listen oon the local loopback adress. \nSo it is important to configure the clients firewall so that nobody can connect TO the client on that forwarded port to get access to the server trough the forwarded port.\n\n##### Dynamic Port Forwarding /SOCKS\nTunnel Traffic through a ssh connection to bind the visible origin of requests to the server instead of the client.\n* Single Client: ssh -L 8080:google.com:80 host\n* Multiple Clients: ssh -D 8080 host (You have to configure your webbrowser to use a SOCKS Proxy. use 127.0.0.1:8080 an your client)\n\n##### Reverse Port Forwarding\nUse a local firewall on your host server unused ports to prevent missuse\nssh -R 2222:127.0.0.1:22 \n\n#### Bind SSH to specific adress\nIf your ssh server has access to different networks add \"ListenAdress host_or_adress1\" to the config file. You can add multiple lines if you need to listen on different networks.\nLike that you can only listen on private networks and ignore public networks.\n\n#### Change the Default Port (e.g. 2222)\nThis can reduce the number of unwanted connections but with a port scan it is an easy task for an attacker to define the new port. Add \"Port 2222\" to the config file.\n\n#### Disable the Banner\nTo reduce information leakage add \"Banner none\" to the config file. If you need to use a banner try not to add more information than needed (Banner /etc/issue.net).\n\n```\nssh -L 5432:127.0.0.1:5432 host\n```\n### Generate a SSH key on your client\nhttps://manpages.debian.org/bullseye/openssh-client/ssh-keygen.1.en.html\n\nUse a phassphrase for the private key. That adds an additional security layer.\n```\nssh-keygen\n```\nAdd the public key to the remote host.\n```\nssh-copy-id -i ~/.ssh/id_rsa.pub hostUser@host\n```\nThis will add the key to *~/.ssh.authorized_keys* on the host.\nTo disable login again remove key from that file.\n\n### Login to the server from your client\n```\nssh $remote_user@$remote_host\n```\n\n### Disable SSH password login on the server\nIf the ssh login with the key worked, turn off password authentication completly. \n\n```\nvi /etc/ssh/sshd_config\n```\nChange \"#PasswordAuthentication yes\" to \"PasswordAuthentication no\" then restart the ssh-server.\n```\nsudo systemctl restart sshd\n```\n### Check service status\nhttps://manpages.debian.org/bullseye/systemd/systemctl.1.en.html\n```\nsystemctl status sshd\n```\n\n```\nsudo systemctl reboot\n```\n\n### Lock Out Attackers with fail2ban\nhttps://packages.debian.org/bullseye/fail2ban\n#### Install\n```\nsudo apt install fail2ban\n```\n#### Check service status\n```\nsystemctl status fail2ban\n```\n#### Customize configuration\n```\ncd /etc/fail2ban\nhead -20 jail.conf\n```\n```\nsudo cp jail.conf jail.local\nvi jail.local\n```\n\n### Optional white-/black listing (only recommended with static client ip address)\n```\necho 'sshd: your.static.ip.address L' \u003e\u003e /etc/hosts.allow\n```\n```\necho 'sshd: ALL' \u003e\u003e /etc/hosts.deny\n```\n```\nsudo systemctl restart sshd\n```\n### Optional Set Up Two Factor Authentication (with Google Authenticator)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frsc86%2Fdocu-openssh-setup","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frsc86%2Fdocu-openssh-setup","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frsc86%2Fdocu-openssh-setup/lists"}