About
OpenSSH Server (or sshd) is the ssh server of OpenSSH
This is mostly the one that will run on any Linux server so that you can connect remotely on port 22 with Putty or any SSH client
Conf
Default
- They may be overwritten, sometimes during the startup with the following file
/etc/default/ssh
Set
The OpenSSH server reads a configuration file when it is started.
# Without arg, the conf file is located at /etc/ssh/sshd_config
sshd
# or with the f arg
sshd -f /path/to/conf/file
Read
sshd -T
Example
The system configuration file is /etc/ssh/sshd_config
It contains configuration data for sshd. The file format and configuration options are described in sshd_config%285%29.
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
# For ipv4
#AddressFamily inet
# For ipv6
#AddressFamily inet6
# for ipv4 and ipv6 (default)
#AddressFamily any
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
Banner /etc/azsec/banner.txt
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
# CLOUD_IMG: This file was created/modified by the Cloud Image build process
ClientAliveInterval 120
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
where:
Pam
if the config use PAM
UsePAM yes
See /etc/pam.d/ssh
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
AllowUsers
If AllowUsers is present, login is allowed only for user names that match one of the patterns specified.
By default, login is allowed for all users.
Syntax:
AllowUsers [email protected] user2 user3@hostname ...
where:
- [email protected] user2@hostname … is a list of pattern of the form user[@host]
- separated by spaces.
- where ‘*’ and ‘?’ are accepted as wildcards
- the numerical user ID is not recognized.
- the host can be an IP (may be CIDR notation) or a hostname
If the pattern takes the form user@host then user and host are separately checked, restricting logins to particular users from particular hosts.
The hostname is retrieved via the host file or DNS lookup from the remote client IP.
ping -a remoteClientIp
Management
Start
It is normally started at boot (init dameon dependent)
Example:
- /etc/init.d/ssh
- or /etc/init/ssh.conf (on systems using the Upstart init daemon)
/usr/sbin/sshd -D
Pid
/var/run/sshd.pid
Status
- Status ((init dameon dependent)
/sbin/service sshd status
systemdctl sshd status
Start
- Start the service ((init dameon dependent)
/sbin/service sshd start
systemdctl sshd start
Test it
ssh -l user-name host-name
Log
You can see the log configuration in the conf file.
cat /etc/ssh/sshd_config | grep log
# SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO
where: SyslogFacility comes from Log - Syslog
File target for:
- AUTHPRIV is /var/log/secure (with a rsyslog implementation)
- AUTH is /var/log/auth.log
Line Format
Line structure of /var/log/secure
Feb 22 08:04:59 hostname sshd[1124]: Failed password for root from 92.222.93.227 port 41068 ssh2
where:
- Feb 22 08:04:59 is the date
- hostname is the hostname
- sshd[1124] is the service
- Failed password for root description
- from 92.222.93.227 port 41068 ssh2 - the connection cames from the host 92.222.93.227 and the port 41068 using the ssh2 protocol.
Login Monitoring
Successful
last shows successful logins from the file /var/log/wtmp
The system shows only information in the file was created
Example:
last -10 -w -a
where:
- -10 - the last 10 login
- -w with the full IP
- -a with the IP column at the end
Failure
lastb shows login failures from the file /var/log/btmp
The system shows only information in the file was created
Example:
last -10 -w -a
lastb -10 -w -a
where:
- -10 - the last 10 login / failures
- -w with the full IP
- -a with the IP column at the end
Failed password
From the log
sudo grep "Failed password" /var/log/secure | head -10
Full Connection Detail
See also the system security log:
cat /var/log/audit/audit.log | grep -i sshd | tail -10
For one IP
cat /var/log/audit/audit.log | grep -i 49.232.118.194
type=CRYPTO_SESSION msg=audit(1614025124.706:829100): pid=8677 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=aes256-ctr ksize=256 mac=hmac-sha1 [email protected] spid=8678 suid=74 rport=40096 laddr=192.99.55.226 lport=22 exe="/usr/sbin/sshd" hostname=? addr=49.232.118.194 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1614025124.706:829101): pid=8677 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 mac=hmac-sha1 [email protected] spid=8678 suid=74 rport=40096 laddr=192.99.55.226 lport=22 exe="/usr/sbin/sshd" hostname=? addr=49.232.118.194 terminal=? res=success'
type=USER_AUTH msg=audit(1614025125.784:829102): pid=8677 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=49.232.118.194 addr=49.232.118.194 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1614025127.502:829103): pid=8677 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=49.232.118.194 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1614025127.748:829105): pid=8677 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=8678 suid=74 rport=40096 laddr=192.99.55.226 lport=22 exe="/usr/sbin/sshd" hostname=? addr=49.232.118.194 terminal=? res=success'
type=USER_LOGIN msg=audit(1614025127.750:829109): pid=8677 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=49.232.118.194 terminal=ssh res=failed'