vps header 1200x200

2.4 VPS Initial Steps and Setting Up SSH

Now that we know some of the basics of how to use VMM and Cockpit, we are ready to review the initial steps for configuring a new VPS. We will do these steps on ns01 and you can repeat these steps on your own ns01 and ns02. Open VMM and right click on ns01 and select Run. Then click Open. Then log in with your username and password.

Update and Upgrade

One of the first and most important steps with any new Linux operating system is to update the system. On our LMDE Desktop laptop, we did this with the Linux Mint Updater. On our VPS, we will have to use the VPS terminal. Type

sudo apt update

Then press Enter. Then enter your password and press Enter again. We the update is done, type:

sudo apt upgrade

Then press Enter. Then enter your password and press Enter again. Upgrade may add extra functions. In this case, neither the update or upgrade were really needed. Our VPS is up to date.

Set Up SSH to connect to a remote Linux server
SSH stands for Secure Shell. It is a tool used to connect a client which is your home or office computer to a Linux server which may be located 1000 miles away. SSH allows you to securely transfer files and programs to the server and change the settings on the server. SSH is a way to access your VPS remotely from your home or host computer terminal rather than from the VPS terminal.

 Prerequisites
Before you can establish a secure connection with a remote server there are a few basic requirements to meet:

1...Your home computer and server SSH applications need to be installed and enabled.

2… The remote server must be turned on and have a network connection and be set up to listen to the correct SSH port or channel.

3… You need the IP address or the name of the remote server you want to connect to.

4… You need to have the necessary permissions to access the remote server.

5…. Firewall settings need to allow the remote connection.

6… While you can typically connect to the Internet via a WIFI wireless connection, if possible, use a wired Ethernet connection that is plugged directly into your router. This is especially important if you have a marginal WIFI signal. Ethernet is much more secure and more stable than WIFI.

How SSH Works

01
In order to establish an SSH connection, you need two components: a home computer SSH component and a server-side SSH component. An SSH client is an application you install on your home computer which you will use to connect to a server. The client uses the remote server information to initiate the connection and if the credentials are verified, an encrypted connection is established between the client and the server.

On the server’s side, there is a component called an SSH daemon that is constantly listening to a specific IP port for possible client connection requests. Once a client initiates a connection, the SSH daemon will respond with and the two will exchange their identification data. If the provided credentials are correct, SSH creates a new session to connect you to your remote server.

How to Enable an SSH Connection
Since creating an SSH connection requires both a client and a server component, you need to make sure they are installed on both the local and the remote computer.

An open source SSH tool—widely used for Linux distributions— is OpenSSH. Installing OpenSSH is relatively easy. It requires access to the terminal on the server and the computer that you use for connecting. Note that Debian does not have SSH server installed by default.

How to Install an OpenSSH Client on your Home computer
Before installing an SSH client, you should make sure it is not already installed on your Linux computer - as some Linux distributions come with an SSH client already installed. For Windows machines, you can install a program called PuTTY which is an SSH client. However, you should be aware that Windows computers are not secure and cannot be made secure. I therefore do not recommend using a Windows computer to communicate with a Linux server. Instead, you should first change at least one of your Home computers from Windows to Linux and use the Linux computer to connect to your Linux server so that the entire process of controlling your online business data is protected by the Linux operating system.

To check if the SSH client is already installed on your Linux home or business computer, open the Linux terminal on your Home computer and type:

ssh

Then press Enter. If the client is installed, you will receive a response that looks like this:

username (at) host:~$ ssh

usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]

[-b bind_address] [-c cipher_spec] [-D [bind_address:]port]

….

Note that the user name is the name you use to log into your computer and host is the name of your computer as is shown before the prompt on your terminal. If you see a response, then ssh is already installed on your home Linux computer. Linux Mint Debian Edition 4 comes with SSH already installed. Close the terminal.

If you do not see this response or something like it, you can easily install the OpenSSH client by typing the following into your terminal:

sudo apt-get install openssh-client

Then press Enter. Type your password. Then press Enter again.

If you already have ssh installed on your home computer, then you should check the hidden ssh folder to make sure that it does not already contain any existing keys from previous connections that might interfere with the new connection. To do this, open your file manager, right click and click Show Hidden folders. Then scroll down to the hidden folders and open the .ssh (dot ssh) folder. Then open the known_hosts file. Delete any ssh keys that might be there. Then save and close this file. Then right click on the file manager screen and uncheck Show Hidden Files. If there is not yet a dot ssh folder, then there are not yet any hidden ssh keys to worry about. Close the file manager.

How to Install Open SSH to your Linux Server
In a previous article, we have explained the benefits of installing and using the Debian operating system to create a Debian server. One of the steps in the installation process is to check a box to install SSH on your new Debian server. If you checked that box, then SSH is already installed. To confirm this, open the Debian server and log in. Then type ssh after the prompt and press Enter. The terminal should reply with something that looks like this:

02

Note that the server username above is david and the server host name is ns01. Your server will have a different username and host name. If you are working with a real server, such as a Virtual Private Server on a cloud hosting account, you can access the server by logging into your hosting account.

Connect Your Server to Local Host

Another option to test whether SSH is installed on your remote server is to try to connect your server to the local host. In your server terminal, type ssh localhost and press Enter. For a server without SSH installed, the response will look like this:

username@host:~$ ssh localhost

ssh: connect to host localhost port 22: Connection refused username@host:~$

To install SSH on your server, type the following in the terminal:

sudo apt-get install openssh-server ii.

Hit Enter. Type in your password. Then press Enter again. Then type Y after the prompt. Then run the ssh local host command again.

For a server with SSH installed, the response will look like this:

username@host:~$ ssh localhost

The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:9jqmhko9Yo1EQAS1QeNy9xKceHFG5F8W6kp7EX9U3Rs. Are you sure you want to continue connecting (yes/no)?

You should type in yes. If you wait more than about two minutes to type yes, the server will not accept your response. There is a way to increase this time limit which we will review in a minute. Type:

yes

The server will respond with: Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.

username@localhost’s password:

The password you need to enter here is your server password, not the password from your home computer. After entering the server password, press Enter. The server terminal will then reply with the normal server login response ending with the terminal prompt

username@host:~$

We next need the IP address of your VPS. Type ip addr and press Enter.

The IP address for ns01 is 192.168.122.36. This is not yet a static IP address and thus can change. But we will deal with this issue later.

Now that we know the IP address of our VPS, power off the virtual machine by typing: sudo poweroff

Enter your server password. Then press Enter.

Set Up your Debian Practice Server SSH Network
Before we set up our server network, it is useful to determine our IP address on our Home or Host computer.

Determine your Home Computer IP address
Open a terminal on your host computer (your home computer) and type ip addr

03

There are likely to be several connections. The first IP address is 127.0.0.1 which is the IP address for localhost. The second connection is called eno1. This is our Ethernet connection. The IP address is 192.168.1.41. Close your home computer terminal. Now that we know our IP address, we are ready to set up a connection to our practice Debian server.

Connect via SSH
SSH is like making a secure phone call from your home computer to your remote server. You typically connect remotely to the server via SSH to interact with it. Recall that the IP address for our server was

192.168.122.36

Turn on your server but do not log in. Then open your home computer terminal. The command from a terminal on your host or home Linux computer to create this connection is: ssh <username>@ip-address.

For example: ssh This email address is being protected from spambots. You need JavaScript enabled to view it.

Press Enter. Because this is the first time you are connecting via SSH with your server remotely, your home terminal will respond with

“The authenticity of host 192.168.122.36 can not be established. Are you sure you want to continue connecting?”

Type yes. Then press Enter.

The terminal will reply with

Warning: Permanently added 192.168.122.36 to the list of known hosts.

This email address is being protected from spambots. You need JavaScript enabled to view it..1This email address is being protected from spambots. You need JavaScript enabled to view it..36’s password:

Enter the server password. Then press Enter.

The terminal on your home computer will respond with the same start information that is given on the practice server terminal. Note the change in the prompt. Instead of david at debian, it is now david at ns01.

Congratulations. You have now established an SSH connection to your practice server.

Hint: In the future, if the username on your home computer is the same as the username on your server, you can start an SSH session from your home computer with just ssh 192.168.122.36. You do not need to add your username.

One benefit of using SSH is that you may not be able to copy and paste some commands from your home computer to your server terminal. But you can copy these commands into your home computer terminal. So it is wise to learn and use SSH.

Configure your Server SSH Configuration File Port On
While we are using an SSH session, let’s make some changes to our VPS SSH configuration file. The server SSH config file is usually located at /etc/ssh/sshd_config. So type or copy and paste:

sudo nano /etc/ssh/sshd_config

Change Your Home Terminal Background Color
Because this file may be hard to read, let’s change the background color of our Home terminal. This will also help us tell our Home terminal from our VPS terminal. Click Edit, Preferences. Then click the Colors tab. Uncheck use colors from the system theme. Then change the theme to Black on White.

04

Then click Close. Here is the file:

05

To scroll down the page, use the down arrow on your keyboard. The instructions explain that all of the values in this file have been commented by placing a hash tag (#) in front of each line. To make the line active, we want to delete the hash line. Because this is a practice server and we want it to listen to the default channel, which is Port 22, we will delete the hash in front of the line Port 22.

Had this been a real server, we would replace Port 22 with a much higher Port number as an added security measure. For now, just delete the hash and we will use Port 22. Use the down arrow on your keyboard to scroll down the screen to the hash tag to the left of Port 22 and click Delete on your keyboard.

Then scroll down to the line that says LoginGraceTime 2m

Delete the hash and increase the time to 6m

Then use the down arrow to go to the very end of the file. Then scroll back up a few lines. Here are the lines we want to change:

06

Use the up or down arrow to go to

#ClientAliveInterval 0

Delete the hash (#) and change the value to:

ClientAliveInterval 120

Then for the line below it, just delete the hash.

This will now send a client alive message every 120 seconds or every 2 minutes and will send this message if needed up to 3 times.

Press control plus the letter o then press Enter to save the file.

Then press control plus the letter x to close the file.

This will return is to our Debian server prompt.

Use sudo poweroff to close the server. Then close your Home terminal. Then use VMM to start the VPS again. But do not log in. This will help the changes we made to the configuration file above take effect.

Use the Shortcut Method to log into your Remote Server
If the username on your local machine matches the one on the server you are trying to connect to, on your home computer terminal, you can just type:

ssh server_ip_address

Then press Enter to establish an SSH connection.

Since the user name for my home computer is david and the username for my practice server is also david, let’s give this a try. First, turn on your server but do not log in. Here is what I enter on my home terminal:

ssh 192.168.122.36

Then press Enter. Then enter your server password and press Enter. Note the change in the prompt to david at ns01.

Type in your home terminal: ip addr

Then press Enter. It should reply with the server IP address and not the IP address for your home computer. To get more information about the server host name, type: hostnamectl

Then press Enter. It will reply with the host name ns01.

How to Change the Default SSH Port on Your Debian Server

One of the simplest things you can do to secure your server is to change the SSH port from Port 22 to a much higher port number. Since SSH defaults to Port 22, you will see a lot of brute force attacks occurring over that port as a lot of users do not change this default SSH port.

07

By default, SSH runs on port 22. Since this is common knowledge, this port is a target for brute force attacks where hackers use special programs to determine your password and then log in to your Port 22. Because this SSH port provides full access to your server, hackers target port 22. Changing the default SSH port will prevent many but not all automated attacks. To protect your server from a brute force attack, you should change the default SSH port to a much higher number.

Connect to your Server via SSH
First make sure your server is running by turning on VMM and then starting your server. You do not need to log in. Then open a terminal on your home computer and type (replace the IP address with the IP address of your server).

ssh 192.168.122.36

You will be prompted for the server password. Type it in and press Enter. You have now started an SSH session and can use your Home computer terminal to enter commands remotely in your server.

Step 1: Choose a new port number
In Linux, port numbers below 1024 are reserved for well-known services and can only be bound to by root. To avoid issues with port allocation in the future, choose a port above 1024. In this example, we will change the SSH port to 8083 as that is the default port Hestia uses for log in after it is installed, but you can choose any port number you want.

Step 2 Adjust Firewall to your New Port Number
The default firewall in Debian is called IPTables. (Actually, it is now called NF-Tables but the process for changing port numbers is still the same). To change IP Tables to open the new port, copy and paste the following into your server terminal (from SSH on your home computer):

sudo iptables -A INPUT -p tcp --dport 8083 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Then press Enter. Enter your server password and press Enter again.

Step 3: Change your Server SSH Configuration File
Open the server SSH configuration file with:

sudo nano /etc/ssh/sshd_config

Press Enter. Enter your server password and press Enter again. Then change the port number near the top of the file from 22 to 8083 or whatever number you would like to use, provided it is a port another program does not run on. Then save the file with control plus o, then press Enter. and close the file with control plus x.

Step 4 Restart SSH
To apply these changes, copy paste:

sudo systemctl restart ssh

Then type sudo poweroff. Then close your Home terminal. Then use VMM to start your server again. But do not log in. Instead, start an SSH session with

ssh 192.168.122.36

It will likely reply with

ssh: connect to host 192.168.122.36 port 22: Connection refused

When using any port other than port 22, we need to start an SSH session with a different command. Try this command which will add a port flag:

ssh -p 8083 192.168.122.36

Then type in your server password and press Enter.

You should now see the change in the prompt to username (at) ns01

Verify that the SSH Server is listening to the new port

Copy paste this into the terminal:

ss -an | grep 8083

The output should look something like this:

tcp LISTEN 0 128 0.0.0.0:8083 0.0.0.0:*

tcp LISTEN 0 128 [::]:8083 [::]:*

Next type sudo poweroff. Your practice server will power off and the screen will close. Also your home computer terminal will say that your SSH connection was closed by the remote host. Close your home terminal. Then close VMM.

We have successfully connected to our server using only the command ssh followed by the server IP address. We have also changed the Port on our server from 22 to 8083.

What’s Next?
If we were setting up a real server, we would next replace our SSH server log in password with keys. But since this is just practice, we will stay with our simple SSH log in password. In the next article, we will review how to assign a static IP address to your server.