Step 6: Change SSH server port for extra safety
As a last step and just to be sure, you should also change SSH port from 22 to something else. (any port between 10000-64000 is okay)
Make a backup of existing SSH config file.
root@kali:/etc/ssh# cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup
Edit the SSH_Config file.
root@kali:/etc/ssh# vi /etc/ssh/sshd_config
Look for the following line:
#Port 22
Change the line so it looks like this:
Port 10101
Restart OpenSSH server
root@kali:/etc/ssh# service ssh restart
Next time you SSH, you use the following command:
root@kali:~# ssh [email protected] -p 10101
Where
- [email protected] = Username and Hostname where hostname can be an IP or FQDN.
- -p = Port
- 10101 = Destination Port
Conclusion:
SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding TCP ports and X11 connections; it can transfer files using the associated SSH file transfer (SFTP) or secure copy (SCP) protocols. SSH uses the client-server model.
The standard TCP port 22 has been assigned for contacting SSH servers. If you scan for this port using NMAP, you will see many servers has it open to the world and you can try to bruteforce it and gain access.
An SSH client program is typically used for establishing connections to an SSH daemon accepting remote connections. Both are commonly present on most modern operating systems, including Mac OS X, most distributions of GNU/Linux, OpenBSD, FreeBSD, NetBSD, Solaris and OpenVMS. Notably, Windows is one of the few modern desktop/server OSs that does not include SSH by default. Some common SSH clients includes
- PuTTY
- Cygwin
- WinSCP
and they all provide similar file management (synchronization, copy, remote delete) capability using PuTTY as a back-end.
Both WinSCP and PuTTY are available packaged to run directly off of a USB drive, without requiring installation on the client machine. Setting up a SSH server in Windows typically involves installation (e.g. via installing Cygwin, or by installing a stripped down version of Cygwin with the SSH server.
SSH is important in cloud computing to solve connectivity problems, avoiding the security issues of exposing a cloud-based virtual machine directly on the Internet. An SSH tunnel can provide a secure path over the Internet, through a firewall to a virtual machine.
Thanks for reading. Please share.
37 comments
GOOD-WORK!!!
as always .. thank you very much MY “guru”friend :-) +1
https://www.imagestime.com/show.php/956618_Screenshot20140620093707.png.html
:-)
Hi again zimmy,
Always a please seeing your comment. Glad you found it use of. :) Cheers,
-BMO
great
https://www.imoveisguarapari.com
wow awsome tutorial thanks you very much sir,
i have one qestion: how to set ssh to not keep the logs?
Thanks in advance.
Hey Volkermord,
Config’s is in
/etc/ssh/sshd_configfile.Set
LogLevel nonefor no logs and restart sshd. That should do it. Some more references here and here.Cheers,
-BMO
A little piece of advice. No matter what port you chose for SSH, make sure it’s below 1024. On Linux systems, any user can listen on ports above 1024, but only root can listen on ports below 1024. Running SSH on a port above 1024 increases a chance of crashing your SSH daemon and replacing it with some dodgy proxy etc.
Some other suggestions for “extra safety”:
Protocol 2
PermitRootLogin no
StrictModes yes
AllowUsers
DenyUsers root
DenyGroups root
PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes
MaxAuthTries 1
X11Forwarding no
You may also be interested in DenyHosts if using password authentication for SSH.
Hi Tomas,
Below 1024 is usually a port that is registered with IANA for the applications/existing well known services (maybe unused on particular systems). See WikiPedia references here.
If you got a user in your system who can sniff traffic with malicious intentions, then you got bigger problem at hand. A user with sudo access can just enable debug on or turn on plaintext incorrect password logging .. few incorrect password retries and he’s got root password! … Agreed with the rest. PubKeyAuth is possibly second best option with DenyHosts combination (where you login via a VPN or got stationary workstation/static IP etc… etc..) My post was about enabling SSH, not security in general, but I do agree with your notion. Will update it soon. ta.
BTW, keep an eye on my site for my next post that actually addresses exactly what you’ve pointed out. I’m sure you’ll like my new post.
Thanks again for your comment, always appreciate a positive feedback. Cheers,
-BMO
Your statement is only partially correct. We use TCP ports 4 and 12 for SSH – these are unassigned.
When you have >2000 users using your Linux servers, everything happens.
You may find this post useful: https://www.lisenet.com/2013/openssh-server-installation-and-configuration-on-debian/
Great post on how to setup OpenSSH. This allowed me to take it one step further, and set up VNC over SSH.
Thanks SJ.
Hello Sec Jedi. Good job setting up the vnc ! can you share the guide with me on how to do this? and can you access this outside of your lan or only in lan ?
Excellent tutorial. Well done.
Very Nice tutorial sir, I just need to ask you that, after applying all these steps, i can access ssh-server through lan, But this is not working on internet, What might be the reason?
Your router blocking it. Either open port or setup port forwarding.
When I run ssh root@localhost it just leaves me with a blinking cursor but no prompt. Root log in is enabled in sshd_config. Any thoughts?
Hi heisenberg,
Did you restart ssh service?
Hi, Step 3 doesn’t need to be completed. I’ve compared the SSH Keys on two different installs of Kali1.10 and they have different keys by default.
Thanks for letting me know. It wasn’t the case when I wrote this article. Instead of removing step 3, I’ll mark it as optional. In that way, readers can make an informed decision. Thanks again.
Thank you for the tutorial, its so educating now my question is, how can I use my android app with Kali Linux remote SSH. I’m aware of the apps that I can download, i’m in the process of developing my own.
I am trying to access my own SSH server by doing
ssh root@localhost
then it comes up with
root@localhost’s password:
Where would you get this password?
You need to know your root password, on a default install of kali it is set to ‘toor’ but this is the first thing you should have changed.
I type my root password but it says permission denied anyway
You have to enable root login in the sshd_config file.
Generally not a good idea unless you have a reason.
Great article! Thank you for the time you took to put this together!
See below output:
root@kali2:~# service ssh status
● ssh.service – OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
Active: inactive (dead)
root@kali2:~#
I Want to start this service automatically whenever I boot my system. Let me know how to do that.
At present I am manually starting the service.
I got same problem here too. Even after following Step 2, it didn’t work. Anyone?
Great tutorial!
The only problem for me is that after root@localhost and after the password it says : Permission denied, please try again…
Solved, I changed
PermitRootLogin without-password
with
PermitRootLogin yes
In /etc/ssh/sshd_config
Solved, I changed
PermitRootLogin without-password
with
PermitRootLogin yes
In /etc/ssh/sshd_config
Hey guys i hope you respond me , i have some problemes using kali 2 ,
for any link i make is not shared with my local state any link i make ( with a real kali ip 192.168.1.xx) it works only in the kali and is not shared to other wifi’s users i tried many methodes but they didnt work i hope will help me and thank you !
well make a new one for 2.0. you need to update alot of your old very good tutorials for previous versions, now you have nothing for 2.0. killing us.
This was a great help, thank you.
Hello, is it possible, that we must also open the ssh port in kali’s firewall?
i got a problem here. i started the ssh server in linux kali.but when i try to connect from windows using putty i am asked username and passworsd. what xactly are the username and password ? i tried my linux usernmae and passwd but i got access denied. should i configure linux to allow windows??
Install openssh in Android terminal
https://youtu.be/mh6Ldvn__H4
I can confirm that on Kali Linux 2018.3a on the AWS Marketplace, the SSH keys are unique to each provisioned instance.
Anybody have any words of advice on how to perform a remote SSH session with Kali 2018.4 with an IPv6 address? Nowhere can I find an actual guide or word of help on the internet…