Linux服务器 Linux SSH Configuration Remote Connection SSH Security Settings Key-based Login Server Management 2025-12-08 512 views

1. What is SSH Service?

SSH (Secure Shell) is a secure network protocol used to remotely manage Linux servers through encryption. Unlike the early insecure Telnet (which transmits data in plaintext), SSH encrypts login information, commands, and data, preventing eavesdropping or tampering by hackers.

2. Installing the SSH Service

First, install the SSH server program on the server. Installation commands vary by Linux distribution:

  • Ubuntu/Debian: 
  sudo apt update  # Update software sources
  sudo apt install openssh-server  # Install SSH server
  • CentOS/RHEL: 
  sudo yum install openssh-server  # Install SSH server (yum system)
  # For CentOS 8+, use dnf:
  sudo dnf install openssh-server

After installation, start the SSH service and enable it to start on boot: 

sudo systemctl start sshd  # Start the service (Ubuntu/Debian use "ssh")
sudo systemctl enable sshd  # Enable auto-start on boot

Check the service status: 

sudo systemctl status sshd  # If "active (running)" appears, the service is running

3. Using SSH to Connect to the Server Remotely

After installation, local machines (Windows/macOS/Linux) can connect to the server via an SSH client.

  • Windows Users:
  • Install PuTTY (free SSH client) or use the built-in OpenSSH client (add via “Apps & Features” → “Optional Features”).
  • Open Command Prompt or PowerShell and enter: 
    ssh username@server_ip  # Example: ssh testuser@192.168.1.100

  • On the first connection, you’ll be prompted “Are you sure you want to continue connecting?” Type yes and press Enter.

  • Linux/macOS Users:
    Directly enter in the terminal: 

  ssh username@server_ip  # Example: ssh alice@192.168.1.100

Enter the password to log in.

4. Configuring the SSH Service (Security Settings)

The core configuration file for SSH is /etc/ssh/sshd_config (same for Ubuntu/Debian and CentOS). It is recommended to back up the original file before modification: 

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Key Configuration Items and Their Functions:

  1. Modify SSH Port (Avoid Default Port 22)
    The default port (22) is vulnerable to brute-force scans. Change it to a non-default port between 1024-65535 (e.g., 2222): 
   # Open the configuration file
   sudo nano /etc/ssh/sshd_config  
   # Find and modify: Port 22 → Port 2222 (customize the port as needed)
  1. Disable Root Direct Login
    Direct root login is risky. Use a regular user account and then elevate privileges: 
   # Find and modify: PermitRootLogin yes → PermitRootLogin no
  1. Disable Password Login (Key Login Recommended)
    Passwords are prone to brute-force attacks. For temporary password disable (later chapters will cover key login): 
   # Find and modify: PasswordAuthentication yes → PasswordAuthentication no
  1. Allow Specific Users to Log In
    Restrict SSH access to specific users to prevent unauthorized attempts: 
   # Add: AllowUsers username1 username2 (separate users with spaces)
   AllowUsers alice bob  # Only alice and bob can log in

After modifying the configuration, restart the SSH service to apply changes: 

sudo systemctl restart sshd  # Restart the service

5. Firewall to Open SSH Port

The server firewall may block SSH connections by default. Open the custom port (e.g., 2222):

  • Ubuntu/Debian (ufw firewall): 
  sudo ufw allow 2222/tcp  # Allow port 2222 (TCP protocol)
  sudo ufw reload  # Reload firewall rules
  • CentOS/RHEL (firewalld firewall): 
  sudo firewall-cmd --add-port=2222/tcp --permanent  # Permanently open the port
  sudo firewall-cmd --reload  # Reload firewall rules

6. SSH Key Login (More Secure Method)

Key-based login eliminates password entry and uses locally generated key pairs for authentication, suitable for long-term use.

Steps:
1. Generate Key Pair Locally (execute on your local machine, not the server): 

   ssh-keygen -t ed25519  # Generate key pair (recommended algorithm, fast)
   # Press Enter to accept defaults; keys are saved in ~/.ssh/id_ed25519 (private) and id_ed25519.pub (public)
  1. Copy Public Key to Server: 
   ssh-copy-id -i ~/.ssh/id_ed25519.pub username@server_ip  # Enter server password to copy the public key
  1. Disable Password Login (modify in sshd_config): 
   PasswordAuthentication no  # Disable password login
   PubkeyAuthentication yes   # Enable key-based login (enabled by default)
  1. Restart the Service: 
   sudo systemctl restart sshd

Verification: Next time you log in, run ssh username@server_ip to access the server without entering a password.

7. Troubleshooting Common Issues

  • Connection Timeout: Verify the IP address, open port status, and firewall rules.
  • Permission Errors: Ensure the ~/.ssh directory has permissions 700 and authorized_keys has permissions 600: 
  chmod 700 ~/.ssh  # Directory permissions
  chmod 600 ~/.ssh/authorized_keys  # Public key file permissions
  • Log Troubleshooting: Check SSH connection logs via /var/log/auth.log to identify errors.

Summary

SSH is a core tool for remote management of Linux servers. Key security considerations include port modification, disabling root direct login, password-less login (key-based authentication), and opening necessary ports in the firewall. By following the steps above, you can securely connect to the server while significantly reducing the risk of attacks.

Related Articles

Essential for Beginners: 5 Basic Linux Server Commands 2025-12-08 SSH Service Configuration: A Detailed Explanation of Linux Remote Connection 2025-12-08 Zero to Hero: A Guide to Installing Linux on a Server 2025-12-08 Understanding Linux SSH Service: A Complete Guide to Configuration and Usage 2025-12-08 Setting up Apache on Linux Servers: Quick Deployment of Websites 2025-12-08
Xiaoye