WebCitz Blog

Advanced Secure Shell: 6 Things You Can Do With SSH

6 Things You Can Do With SSH

SSH is the most popular tool for remote access to your web hosting services. It’s also one of the most misunderstood tools in sysadmin. While it has some very specific use cases, there are many others that people don’t know about. In this post, we’ll cover six things you can do with SSH to make life easier, and solve more problems than you might realize!


Tips for Securing SSH

1.) SFTP

SFTP is short for SSH File Transfer Protocol. It allows you to securely copy files over the network using your preferred method of moving data (FTP, SCP, Rsync). It also uses keys, rather than passwords, for improved security and authentication.

It’s great for transferring files around where FTP or SCP are blocked but SFTP isn’t! You might also use it if you need to connect between two machines that don’t have direct access, but where SSH does.

Using FileZilla is the preferred way, which involves inputting your SSH’s username, port, and address. Next, it’s time to use SFTP by simply typing “sftp [email protected]”. Doing this will allow you to interact within the terminal to download/upload files, browse directories, and more.

Related: 25 Tips to Improve Your cPanel/WHM Security.

2.) Keep the connection alive

Stopping your connection from dying is always important. Luckily, you are able to prevent your SSH session from being prematurely terminated by using three directives.

The TCPKeepAlive argument determines whether or not to keep a connection open. When this option is enabled, the client will constantly send data packets in an effort of maintaining their network link with the server they’re connected to.

ClientAliveInterval specifies how often you want your system to send traffic across the network. ClientAliveCountMax specifies after how many unanswered messages should result in termination of this session, so another attempt can take place.

ServerAliveInterval is the same as ClientAliveInterval, but it’s set on the other end. This specifies how long the client will wait before sending data to verify that they’re still connected.

By using these three together you can prevent your SSH sessions from timing out while still allowing for traffic to be stopped until another session is established. You are also able to instruct your server or client how many times they should fail before considering a network link down!

3.) SSH Agent

SSH Agent is a program that helps manage SSH keys. It provides an easy way to load your private key into memory so you don’t have to type in the password every time!

When you start a session with the agent, all windows and applications that need an SSH connection will be automatically given access to your private key. You only have made one passphrase for this process in order to get started quickly!

Agents can be forwarded in order to use the same credentials from a connected host to another. However, these credentials are stored by agents, which opens up more risk of hacking. Therefore, I don’t recommend forwarding your agent to anything but a trusted machine.

4.) Tunneling via Local Port Forwarding

One use case for SSH is tunneling. This can be used to protect application traffic inside an encrypted connection and ensure that unsafe data doesn’t get transmitted outside of it.

Server

The sshd configuration file, located in /etc/ssh/sshd_config, contains all of the server-side changes that need to be made.

In order to make your changes, start by commenting out the original line with a leading #. You can also duplicate any lines if needed and edit those instead of just uncommenting them so that it’s easier for you to see what needs to be changed without having too much going on at once!

For port forwarding to work correctly you need to allow TCP by inputting “AllowTcpForwarding yes”.
If you’ve made changes to the server configuration file, reload ssh service. You can do this by using “service ssh reload”.

Client

You can use SSH tunnels to do lots of cool actions, such as when you need to execute a query in one database that can only be done on a different machine. This allows your connection to be tunnelled through the other machine instead.

5.) X11 Forwarding

An SSH connection can be used to forward X11 packets so that the remote computer’s desktop environment is displayed on your local machine. This is great for saving time when using the GUI for a specific program.

Prerequisites

Installing xauth is the first step in implementing X11 forwarding on your server. If you want to test it out, just make sure that xclock has also been installed before proceeding.

Server

The first step is to allow X11Forwarding looking for “X11Forwarding” in your /etc/ssh/sshd_config, and then set it to “yes”.

Client

X11 forwarding from the server to your client machine has been set up, and you should be able to see a clock on your desktop when you type “xclock”.

6.) ProxyJump

Many people use SSH to connect to bastions (the first jump host), and then jump across to other devices. The bastion is the first jump host.

To make it easier for people who are not tech-savvy, ProxyJump may be the perfect solution. It simplifies accessing your server using a jump host and can also provide an additional layer of security in case anyone attempts to hack into one you don’t want to be exposed publicly.

Say you’re a home user with two routers, one on each side of your network. One use case for this would be to have an extra machine that acts as the bastion gateway – or VPN server in front of those devices so people can get onto other computers without having access through either router’s IP address(es).

This could come in handy when managing private connections while still being able to launch various services, like OpenVPN clients from within our own house if need be!

Related: 10 Best PHP Code Security Scanners.


Final Thoughts on Securing SSH

In conclusion, there are a ton of things that you can do with SSH. This includes preventing your session from timing out, tunneling data through a server, forwarding X11 packets to display on another machine’s GUI, and more.

If you would like to learn the basics on how to perform a security audit for your own code, check out the link to our blog article to learn how you can keep your own code secure!

Disclaimer: WebCitz, LLC does not warrant or make any representations concerning the accuracy, likely results, or reliability of the information found on this page or on any web sites linked to from this page. This blog article was written by Timothy A in his or her personal capacity. The opinion(s) expressed in this article are the author's own and may not reflect the opinion(s) of WebCitz, LLC.