Last modified: March 25, 2021

This article is written in: 🇺🇸

Secure Server Access

SSH, SFTP, and SCP are network protocols that provide secure data communication and file transfer over insecure networks. Here's a brief overview of each:

SSH

SSH (Secure Shell) is a protocol and a tool suite that facilitates secure communications and file transfers between computers over a potentially unsafe network such as the internet. It is commonly utilized by system administrators and developers for the following purposes:

• Securely logging into a remote computer.
• Running commands on a remote computer in a safe manner.
• Transferring files between computers without compromising the integrity or confidentiality of the data.
• Tunneling other protocols (like HTTP) through encrypted channels.
• Administering databases and other server resources remotely.

Client                                Server
     |                                      |
     |  1. Request to Connect (via SSH)  -> |
     |                                      |
     |  <- 2. Sends Server's Public Key ----|
     |                                      |
     | 3. Creates Encrypted Session Key --> |
     | (using server's public key)          |
     |                                      |
     |  <- 4. Decrypts Session Key (using   |
     | private key) & establishes session   |
     |                                      |
     | 5. Client Authenticates using ->     |
     | its private key                      |
     |                                      |
     |  <- 6. Verifies using stored public  |
     | key of the client & grants access    |
     |                                      |
     | 7. Secure Communication Channel      |
     | (both ways using session key)        |
     |______________________________________|

SSH leverages public-key cryptography to authenticate users and to secure the data being transferred. This ensures that only authorized users can connect, and the data cannot be intercepted in a readable format by malicious actors.

Connecting with SSH

To initiate a connection using SSH, you require several details and credentials which include:

1. The target computer's IP address or hostname.
2. Your username on the remote system.
3. A secure password or a cryptographic key pair for authentication.

Utilize the following command syntax to connect:

ssh username@serverhost

Depending upon the authentication method chosen, the server will either prompt you for a password (password authentication) or verify the cryptographic key presented (key authentication).

Advanced SSH Connection Options

The ssh command accommodates various flags that allow you to customize your connection further. Here are some notable options:

• The -l option specifies the username for the SSH connection. An alternative way to include the username is by using the format ssh -l username serverhost.
• With the -i option, you can designate the path to the private key file used for key authentication. By default, SSH looks for the key file in the ~/.ssh/id_rsa directory.
• The -F option indicates the path to the SSH connection configuration file. Each user typically has a personal configuration file at ~/.ssh/config, while a global configuration file is located at /etc/ssh/ssh_config.
• Using the -p option, you can specify a different port number if the SSH server is not using the default port 22.
• The -v, -vv, -vvv options increase the verbosity of the SSH command, providing more detailed output, which is particularly useful for troubleshooting connection issues.

For example SSH usually uses port 22, but you can use another port for better security. To use a different port, like 561, do this:

ssh -p 561 username@serverhost

Generating SSH Keys

SSH employs a public-key cryptography system, not only to ascertain the identity of the remote machine but also to facilitate the remote computer in authenticating the user. In this mechanism, each user generates a pair of cryptographic keys: a private key (kept secret and safe) and a public key (shared with the remote systems). This key-based authentication method significantly bolsters security by minimizing the risk associated with password brute-force attacks.

To initiate the process of generating a new key pair, you use the ssh-keygen command. The -t flag allows you to specify the type of key to generate. Common choices are RSA (a widely used algorithm) and Ed25519 (a modern algorithm with enhanced security features). You can also specify the key's bit size using the -b flag for added security, as demonstrated below:

ssh-keygen -t rsa -b 2048
# or for a more secure option
ssh-keygen -t ed25519

Post-creation, your keys will be housed in the ~/.ssh directory. Utilize the ls -a ~/.ssh/ command to enumerate the files in this directory and locate your fresh key pair.

Sharing Your Public Key with Remote Host

In order to harness your newly created key pair for secure connections, the remote server needs to be aware of your public key. This can be achieved by employing the ssh-copy-id command, which securely copies your public key to the remote host's authorized keys. Here’s how you can execute it:

ssh-copy-id -i ~/.ssh/id_rsa.pub username@serverhost
# or if you used the ed25519 algorithm
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@serverhost

Make sure to replace username, serverhost, and the key file name (if you named your key file something other than the default) with the appropriate values. This step is essential to pave the way for passwordless, secure connections to the remote host.

Remember, protect your private key meticulously as it acts as your cryptographic signature, and losing control over it can compromise the security of your remote connections.

Connecting to Remote Host with Your SSH Key

Once the public key is shared, you can establish connections seamlessly and securely using your SSH key. The command to connect incorporates the key file and resembles the structure below:

ssh -i ~/.ssh/id_rsa username@serverhost
# or if you used the ed25519 algorithm
ssh -i ~/.ssh/id_ed25519 username@serverhost

This method enhances the security and efficiency of your remote connections, fostering a secure and streamlined workflow.

Setting Up the SSH Service on Your Server

Before connecting, ensure that the SSH daemon (sshd) is up and running on your server. On Debian-based systems, you can set up and start the SSH service using the following commands:

sudo apt update
sudo apt install openssh-server
sudo systemctl enable ssh
sudo systemctl start ssh

These commands will install the SSH server package, enable the SSH service to start at boot, and initiate the SSH service immediately, making your server ready to accept secure connections.

Transferring Files with SCP

SCP (Secure Copy Protocol), which utilizes SSH for data transfer, offers a secure method for transferring files between computers over a network. Here's how you can leverage SCP for various tasks:

Uploading Files to a Remote Server

To upload a file from your local machine to a remote server, use the following syntax:

scp /local/path/to/file username@server:/remote/path/to/file

Downloading Files from a Remote Server

To retrieve a file from a remote server to your local machine, utilize the command below:

scp username@server:/remote/path/to/file /local/path/to/file

Additional Options

SCP also supports additional flags that can enhance your file transfer operations:

• The -r option enables the recursive copying of directories, allowing you to copy entire directories along with their contents.
• With the -P option, you can specify a different port if the server is not using the default SSH port, which is 22. For example, to copy a directory recursively over a specified port, use:

scp -P 80 -r root@server:/remote/path/to/directory /local/path/to/directory

Transferring Files with SFTP

Secure File Transfer Protocol (SFTP) is a secure method for transferring files between a local and a remote computer. It operates over the SSH protocol, providing encrypted network communication. SFTP is preferred over older protocols like FTP due to its enhanced security features, including secure data transfer and manipulation capabilities within the remote file system.

Server Setup

I. SSH as the Underlying Protocol

• SFTP works over the SSH protocol. This means that it uses the same port and encryption mechanisms as SSH.
• If you have SSH access to a server, it typically implies that you can use SFTP as well, as long as the SFTP subsystem is enabled on the server.

II. Configure SSH Server

• SFTP depends on the SSH server configuration. It uses the SSH server's settings for port numbers, encryption types, and authentication methods.
• The SSH configuration file (usually /etc/ssh/sshd_config) should have an entry like Subsystem sftp /usr/lib/openssh/sftp-server to enable SFTP service.

III. Apply the changes by restarting the SSH service (sudo systemctl restart ssh).

Client Setup

• For command-line usage, no additional installation is required as SFTP comes with most SSH clients.
• For a GUI, install clients like WinSCP, FileZilla, or CyberDuck.

To connect to a remote server using SFTP, follow these steps:

I. Open Terminal or Command Line

• On Unix-like systems, open your terminal.
• On Windows, you can use PowerShell, CMD, or an SSH client like PuTTY.

II. Use the command sftp username@serverhost where username is your account on the remote server, and serverhost is the hostname or IP address of the server.

sftp username@serverhost

III. Authenticate

• Enter your password when prompted.
• If you've set up SSH key authentication, you might not need to enter a password.

Basic SFTP Commands

Once connected, you can use several commands to manage files:

• The ls command lists files and directories in the current directory on the remote server, providing an overview of the contents.
• Using the cd command changes the current directory on the remote server, allowing navigation through different folders.
• The command put local_file uploads a file from your local machine to the current directory on the remote server, enabling file transfer.
• The get remote_file command downloads a file from the current directory on the remote server to your local machine, retrieving the specified file.
• By using mkdir directory_name, you can create a new directory on the remote server, allowing for organization and storage of files.
• The rmdir directory_name command removes a directory on the remote server, which is useful for cleaning up unused directories.
• With the rm file_name command, you can delete a file on the remote server, removing unwanted or unnecessary files.
• The exit command closes the SFTP session, terminating the connection with the remote server.

Here's how you might use these commands in a session:

sftp> ls
sftp> cd /path/to/directory
sftp> put /local/path/to/file
sftp> get /remote/path/to/file
sftp> mkdir new_directory
sftp> rmdir old_directory
sftp> rm unwanted_file
sftp> exit

Other Protocols for File Transfers

Aside from SCP and SFTP, numerous other protocols and tools can be utilized for transferring files, each with their own characteristics:

• FTP is a traditional protocol used for file transfers, but it lacks modern security features, making it generally unsuitable for sensitive data transfers.
• Rsync is a fast and efficient tool designed for synchronizing large sets of files across systems, providing options for incremental transfers to optimize the process.
• SMB is a protocol commonly utilized by Windows systems for sharing files over local networks. It supports various authentication mechanisms to secure data access and protect shared resources.

Challenges

1. Set up a Linux server on a cloud provider or a local virtual machine and configure it for SSH access. Secure the server by disabling root login and ensuring only SSH key-based authentication is permitted. Discuss the benefits of using SSH over traditional telnet for secure server access.
2. Connect to your server using both password-based and key-based authentication with SSH. Document the steps for setting up key-based authentication, including generating an SSH key pair and transferring the public key to the server. Explain the security advantages of key-based authentication over passwords.
3. Modify the SSH server configuration to allow connections on a non-standard port (e.g., port 2222 instead of 22). Test the new port by reconnecting and discuss the security implications of using a non-standard port for SSH. Explain how this approach can help prevent brute-force attacks.
4. Use the SCP protocol to transfer files between your local machine and the server. Practice transferring both individual files and entire directories, utilizing SCP’s recursive option (-r). Document any differences in transfer times and discuss scenarios where SCP is advantageous for quick file transfers.
5. Explore the SFTP protocol by connecting to the server using an SFTP client (e.g., FileZilla or the command-line sftp). Use SFTP to upload and download files, create directories, and change permissions. Discuss the additional file management capabilities that SFTP provides over SCP.
6. Write a comparison between SCP and SFTP, detailing the underlying protocols and use cases for each. Conduct a speed test by transferring different file types and sizes, and compare the performance of SCP vs. SFTP. Discuss how these protocols handle encryption and data integrity.
7. Research and demonstrate the use of the Rsync protocol to transfer files between your local system and the server. Use Rsync to synchronize a local directory with a remote directory and explain how Rsync’s delta transfer algorithm improves efficiency for repeated file transfers.
8. Install and configure an FTP server (such as vsftpd) on your server and connect to it using an FTP client. Test both secure (FTPS) and unencrypted connections, and explain why FTP alone is not recommended for secure file transfers. Discuss when FTP/FTPS might still be useful in certain network environments.
9. Use port forwarding with SSH to create a secure tunnel between your local machine and the server. Set up an SSH tunnel to forward traffic from a local port to a remote service running on the server. Explain how SSH tunneling can be used to securely access remote services and discuss its use in bypassing firewalls or restrictive network policies.
10. Investigate other file transfer protocols such as HTTPS, SMB, and NFS. Write a brief summary of each protocol’s advantages and limitations in comparison to SSH-based protocols (SCP, SFTP). Discuss when it might be preferable to use one of these protocols over SSH-based solutions in a networked environment.