Utilizing SSH on Ubuntu! A Comprehensive Guide to Connection, Port Changes, and Public Key Authentication

By 佐川 直弘 | Naohiro Sagawa (運営者)

※記事内に広告を含みます。Amazonアソシエイトとして適格販売により収入を得ています。　

1. Introduction

By using SSH on Ubuntu, you can securely access and manage your server or PC remotely. This guide explains everything from the basics of SSH to installing an SSH server on Ubuntu, security measures, and troubleshooting. It is designed to be beginner-friendly and easy to understand.

What is SSH?

SSH (Secure Shell) is a protocol that allows secure remote connections over a network. Unlike traditional Telnet or FTP, SSH encrypts data to significantly reduce the risk of eavesdropping and tampering.

Main Use Cases of SSH on Ubuntu

SSH is commonly used on Ubuntu for the following purposes:

• Remote Server Management: Operate an Ubuntu server from a remote location.
• File Transfer: Securely transfer files using SCP or SFTP.
• Port Forwarding: Establish a secure remote connection.

What You Will Learn in This Guide

• Basic concepts and workings of SSH
• How to install an SSH server on Ubuntu
• SSH connection settings and troubleshooting
• Security measures for SSH

2. Basic Concepts of SSH

To use SSH effectively, it is important to understand its basic concepts. This section explains how SSH works and the different authentication methods.

How SSH Works

SSH is a protocol that establishes a secure connection between a client and a server. By default, it uses TCP port 22 for encrypted communication.

Main Features

• Remote Login: Execute commands on a server.
• File Transfer: Securely send data using SCP or SFTP.
• Port Forwarding: Connect to other services via SSH.

SSH Authentication Methods

SSH mainly supports two authentication methods:

Password Authentication

• Login using a username and password.
• Easy to use but vulnerable to brute force attacks.

Public Key Authentication

• Authentication using a public and private key pair.
• More secure and recommended over password authentication.

Advantages of SSH

• Data Encryption: Protects communication from interception.
• Easy Remote Management: Accessible from anywhere.
• Enhanced Security: Helps prevent unauthorized access.

3. Installing an SSH Server on Ubuntu

To use SSH on Ubuntu, you need to install the OpenSSH server. This section explains the installation steps and basic configuration.

Installing OpenSSH Server

You can install the OpenSSH server on Ubuntu with the following command:

sudo apt update
sudo apt install openssh-server

After installation, check if the SSH service is running:

sudo systemctl status ssh

Starting and Checking the SSH Service

To manually start or stop the SSH service, use the following commands:

# Start SSH
sudo systemctl start ssh

# Enable SSH to start automatically on reboot
sudo systemctl enable ssh

# Stop SSH
sudo systemctl stop ssh

Configuring UFW (Uncomplicated Firewall)

If UFW is enabled by default, SSH connections may be blocked. Allow SSH access by running:

sudo ufw allow ssh
sudo ufw enable

4. Configuring SSH Connections

To use SSH securely, proper configuration is essential. This section explains how to set up public key authentication.

Generating a Key Pair

On the client side, run the following command to create a public and private key pair:

ssh-keygen -t rsa -b 4096

By default, the private key is saved in ~/.ssh/id_rsa, and the public key is saved in ~/.ssh/id_rsa.pub.

Copying the Public Key to the Server

Transfer the generated public key to the SSH server:

ssh-copy-id username@server-ip

Alternatively, manually copy the key using SCP:

scp ~/.ssh/id_rsa.pub username@server-ip:~/

On the server, move the public key to the correct directory:

mkdir -p ~/.ssh
cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
rm ~/id_rsa.pub

Editing the sshd_config File

Enhance security by modifying the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Update the following settings:

# Disable password authentication (enable public key authentication only)
PasswordAuthentication no

# Disable root login
PermitRootLogin no

# Change the default SSH port (example: 2222)
Port 2222

After making changes, restart the SSH service:

sudo systemctl restart ssh

5. Connecting to an SSH Server

Once the SSH server is set up, you need to connect to it from a client machine. This section explains basic SSH connection methods and handling port changes.

Basic SSH Connection Command

To connect to an SSH server from a client, use:

ssh username@server-ip

For example, if the server’s IP is 192.168.1.10 and the username is ubuntu, enter:

ssh ubuntu@192.168.1.10

On the first connection, you will see a fingerprint verification prompt. Type “yes” to accept and continue.

Connecting with a Custom Port

If the default port (22) has been changed, specify the port using the -p option:

ssh -p 2222 ubuntu@192.168.1.10

Connecting with a Private Key

If using public key authentication, specify the private key with the -i option:

ssh -i ~/.ssh/id_rsa ubuntu@192.168.1.10

Running Remote Commands via SSH

You can execute remote commands without logging into the server interactively:

ssh ubuntu@192.168.1.10 "ls -lah /home/ubuntu"

This is useful for automation and remote management.

Transferring Files with SCP

Use SSH to transfer files between a local PC and a remote server.

From Local to Remote

scp filename username@server-ip:/remote/directory

Example:

scp myfile.txt ubuntu@192.168.1.10:/home/ubuntu/

From Remote to Local

scp username@server-ip:/remote/file ./local/directory

Example:

scp ubuntu@192.168.1.10:/home/ubuntu/myfile.txt ./

Managing Files with SFTP

Use SFTP for file management over SSH:

sftp ubuntu@192.168.1.10

Once connected, you can use commands such as:

ls        # List files
cd        # Change directory
put file  # Upload file from local to remote
get file  # Download file from remote to local
exit      # Exit SFTP session

6. Troubleshooting SSH Connections

SSH connection issues are common. This section covers typical problems and their solutions.

Common SSH Connection Errors and Fixes

If SSH fails to connect, consider the following causes:

1. SSH Server Is Not Running

Check if the SSH server is active:

sudo systemctl status ssh

Solution:

• If the server is not running, start it with:

sudo systemctl start ssh

• Ensure SSH starts automatically on reboot:

sudo systemctl enable ssh

2. Firewall (UFW) Is Blocking SSH

If UFW (Uncomplicated Firewall) is enabled, it might block SSH access.

Solution:

• Check current UFW settings:

sudo ufw status

• Allow SSH connections:

sudo ufw allow ssh

(If using a custom port, run sudo ufw allow <port>)

• Restart UFW:

sudo ufw reload

3. SSH Port Number Has Changed

If SSH is running on a different port, ensure you specify the correct port when connecting.

Solution:

• Verify the configured SSH port:

sudo grep Port /etc/ssh/sshd_config

• Use the correct port when connecting:

ssh -p 2222 username@server-ip

4. Incorrect SSH Key Permissions

Incorrect file permissions for SSH keys can cause authentication failures.

Solution:

• Ensure the private key has correct permissions:

chmod 600 ~/.ssh/id_rsa

• Ensure the authorized keys file is set correctly:

chmod 644 ~/.ssh/authorized_keys

5. Checking SSH Logs

To diagnose SSH issues, check the logs:

sudo journalctl -u ssh --no-pager | tail -n 20

For real-time log monitoring:

sudo tail -f /var/log/auth.log

7. Enhancing SSH Security

SSH is a powerful remote access tool, but without proper security measures, it can become a target for unauthorized access and brute-force attacks. This section explains recommended configurations to enhance SSH security.

1. Disable Password Authentication and Use Public Key Authentication

By default, SSH allows password authentication, which increases the risk of brute-force attacks. Switching to public key authentication enhances security.

Steps

1. Edit the sshd_config file:

sudo nano /etc/ssh/sshd_config

2. Modify (or add) the following settings:

PasswordAuthentication no
PubkeyAuthentication yes

3. Restart the SSH service:

sudo systemctl restart ssh

This ensures SSH only accepts authentication via public keys. Be sure to set up public key authentication before applying this change.

2. Change the Default SSH Port

Using the default SSH port (22) makes it an easy target for attacks. Changing the port enhances security.

Steps

1. Open the sshd_config file:

sudo nano /etc/ssh/sshd_config

2. Modify the port number (e.g., change to 2222):

Port 2222

3. Allow the new port through the firewall:

sudo ufw allow 2222/tcp

4. Restart the SSH service:

sudo systemctl restart ssh

5. Test the new port:

ssh -p 2222 username@server-ip

3. Disable Root Login

By default, the root user can log in via SSH, which poses a security risk. It is recommended to allow only specific users to connect.

Steps

1. Open the sshd_config file:

sudo nano /etc/ssh/sshd_config

2. Modify the following setting:

PermitRootLogin no

3. Restart the SSH service:

sudo systemctl restart ssh

4. Prevent Brute-Force Attacks with Fail2Ban

Fail2Ban monitors login attempts and blocks IP addresses after multiple failed authentication attempts.

Installation and Configuration

1. Install Fail2Ban:

sudo apt install fail2ban -y

2. Copy the default configuration file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

3. Edit jail.local:

sudo nano /etc/fail2ban/jail.local

4. Modify the settings under [sshd]:

[sshd]
enabled = true
maxretry = 5
bantime = 600
findtime = 600

• maxretry: Maximum allowed login attempts.
• bantime: Time (in seconds) an IP will be blocked.
• findtime: Time window (in seconds) for counting failed attempts.

1. Restart Fail2Ban:

sudo systemctl restart fail2ban

6. Check Fail2Ban status:

sudo fail2ban-client status sshd

8. Frequently Asked Questions (FAQ)

This section addresses common questions and issues when using SSH.

Q1: Why is SSH connection being refused?

Possible causes:

• SSH service is not running → Check with sudo systemctl status ssh
• Firewall is blocking SSH → Allow SSH with sudo ufw allow ssh
• Using a custom port → Connect using ssh -p <port> username@server-ip

Q2: How to change the SSH default port?

Modify the sshd_config file:

sudo nano /etc/ssh/sshd_config

Change the port:

Port 2222

Then restart SSH:

sudo systemctl restart ssh

Q3: How to enable only specific IPs to access SSH?

Modify the firewall settings:

sudo ufw allow from 192.168.1.100 to any port 22

Or use sshd_config:

AllowUsers username@192.168.1.100

9. Conclusion

This guide covered everything from SSH basics to security enhancements. Here are the key takeaways:

• Use public key authentication instead of passwords.
• Change the default SSH port for better security.
• Disable root login to prevent unauthorized access.
• Use Fail2Ban to block brute-force attacks.
• Monitor SSH logs for troubleshooting.

Additional Resources

• Ubuntu Official SSH Guide
• OpenSSH Official Manual

By following these best practices, you can maintain a secure and efficient SSH environment. 🚀