Remote Access and File Transfer

Introduction to Remote Administration
The Golden Rule of Remote Administration
never change a network settings on a remote machine without a scheduled reboot to previous configuration
standard client-server model
  • server - remote Linux box running SSH Daemon (sshd)
    listens on port 22
  • client - local computer running SSH client
Secure Shell (SSH): Connecting to Remote Linux Systems
to connect need to know
  • IP address or domain of server
  • a username
  • a password or key
Step-by-Step Connection
  1. open terminal
  2. enter the command 
    ssh <user name>@<server IP>
  3. Finger Print Check - for the first connection only
    prompt will provide a fingerprint from the server
    verify the fingerprint and enter 'yes'
  4. enter the password
  5. on success the prompt will change from/to 
    <user name>@<client>:~$
<user name>@<server>:~$

to close connection enter 'exit'
SSH Key Authentication and Using SSH Keys
SSH keys are crytographic proof of identity
SSH key has two parts
  • Private Key - kept secret on client, never shared
  • Public Key - kept on server, a lock opened by private key

Generate a Private Key
  1. run command on local machine 
    ssh-keygen -t ed25519 -C <machine name>
    • -t specifies modern, secure algorithm
    • -C adds a label to the key

    save to default location 
    ~/.ssh/id_ed25519
    provide a passphrase to encrypt the private key
  2. copy the public key to the server's directory 
    ~/.ssh/authorized_keys
    using the command 
    ssh-copy-id <user name>@<server IP>
  3. try logging in
    enter the passphrase to unlock the key

Copying Files Securely: scp and rsync
The Simple Copy: scp
scp stands for Secure Copy
works exactly like cp but over SSH
upload (Local to Remote): 
scp filename.txt [email protected]:/home/anna/
copies filename.txt to the server's home directory
download (Remote to Local): 
scp [email protected]:/var/log/syslog ./
copies the server's syslog to your current directory

The Smart Copy: rsync
scp is dumb
it copies the whole file every time
rsync is smart
it checks what has changed and copies only the differences
also supports resuming interrupted transfers. Syntax: 
rsync -avz <source> <destination>
flags
  • -a - archive mode, preserves permissions, timestamps,oweners
  • -v - verbose, shows progress
  • -z - compress
SSH Configuration: ~/.ssh/config
repeatedly entering SSH credentials can be tedious
use shortcuts
on local machine create or edit 
~/.ssh/config
the file 
Host myserver
    HostName 192.168.1.50
    User anna
    IdentityFile ~/.ssh/id_ed25519
 Host work
    HostName server.company.com
    User admin
    Port 2222
can simply use 
ssh myserver
ssh work
Port Forwarding and Tunneling with SSH
can access services blocked by firewalls

scenario
db server running on 192.168.1.50
for security purposes only accepts connections from local host
need to connect from a different computer on the network

solution
can set up a secure tunnel between ports on different computers
ssh -L 3306:localhost:3306 [email protected]
point db client to localhost:3306
SSH forwards traffic from localhost:3306 to 192.168.1.50:3306
connects to remote db as if it were local
Remote File Systems: sshfs
sshfs allows mounting a remote folder as if it were a local USB device
  1. install sshfs 
    sudo apt install sshfs
  2. create a mount point 
    mkdir ~/RemoteServer
  3. mount 
    sshfs [email protected]:/home/anna ~/RemoteServer
    files will be in ~/RemoteServer directory
  4. unmount 
    fusermount -u ~/RemoteServer
Best Practices for Secure Remote Access
Disable Password Authentication
once SSH keys are working turn off password authentication
edit /etc/ssh/sshd_config 
PasswordAuthentication no
ChallengeResponseAuthentication no
restart SSH 
sudo systemctl restart ssh
Disable Root Login
never allow root to log in directly
edit /etc/ssh/sshd_config 
PermitRootLogin no
Change Default Port (optional)
bots blindly attack port 22
configure SSH to run on port 2222
security thru obscurity

install fail2ban

Use Fail2Ban
service watches the logs
if someone fails to log in 5 times in a row, it bans theirIP address using the firewall
Summary
covers
  • connection - ssh user@host
  • keys - ssh-keygen and ssh-copy-id for passwordless security
  • transfer - scp for files, rstnc for folders and backups
  • shortcuts - using ~/.ssh/config
  • tunneling - accessing blocked services securely
  • mounting - using sshfs to access remote storage as local

key points
  • SSH - standard protocol for remote administration (port 22)
  • SSH keys - more secure than passwords, use ssh-keygen
  • scp - secure copy
  • rsync - file synce, difference model
  • ~/.ssh/config - stores server details
  • ssh -L - tunnels local ports to remote servers
  • security - always disable PasswordAuthentication and PermitRootLogin
index