CHEAT SHEET

SSH - common commands and secure config

SSH connections SSH keys

connects to a server (default port 22) generates a new ssh key
$ ssh user@server $ ssh-keygen -t rsa -b 4096

uses a specific port declared in sshd_config sends the key to the server
$ ssh user@server -p other_port $ ssh-copy-id user@server

runs a script on a remote server converts ids_rsa into ppk

$ ssh user@server script_to_run $ puttygen current_key -o keyname.ppk

compresses and downloads from a remote server

$ ssh user@server "tar cvzf - ~/source" > output.tgz SSH config
specifies other ssh key for connection opens config file (usual location)
$ ssh -i ~/.ssh/specific_ssh_fkey $ sudo nano /etc/ssh/sshd_config

changes default SSH port (22)

SSH service Port 9809

starts ssh service disables root login

$ (sudo) service ssh start PermitRootLogin no

checks ssh service status restricts access to specifucusers

$ (sudo) service ssh status AllowUsers user1, user2

stops ssh service enables login through ssh key

$ (sudo) service ssh stop PubkeyAuthentication yes

restarts ssh service disables login through password

$ (sudo) service ssh restart PasswordAuthentication no

disables usage of files .rhosts and .shosts

SCP (Secure Copy) IgnoreRhosts yes
copies a file from a remote server to a local machine
disables a less secure type of login
$ scp user@server:/directory/file.ext local_destination/
HostbasedAuthentication no
copies a file between two servers
number of unauthenticated connections
$ scp user@server:/dir/file.ext user@server:/dir
before dropping
MaxStartups 10:30:100
copies a file from a local machine to a remote server
$ scp local_destination/file.ext user@server:/directory
no. of failed tries before the servers stops
accepting new tries
uses a specific port declared for SHH in sshd_config
MaxAuthTries 3
$ scp -P port
max current ssh sessions
coppies recursive a whole folder
MaxSessions 1
$ scp -r user@server:/directory local_destination/
disables interactive password authentication
copies all files from a folder
ChallengeResponseAuthentication no
$ scp user@server:/directory/* local_destination/
no empty password allowed
copies all files from a server folder to the current folder
PermitEmptyPasswords no
$ scp user@server:/directory/* .
disables Rhost authtentication
compresses data on network using gzip
RhostsAuthentication no
$ scp -C
disables port forwarding (blocks i.e MySQL Workbench)
prints verbose info about the current transfer
AllowTcpForwarding no
$ scp -v
X11Forwarding no

Full articles about cyber security at prints much more info about SSH connections
https://blowstack.com/blog/cyber-security LogLevel VERBOSE

Author: Piotr Golon, piotr.golon@blowstack.com, https://blowstack.com