+
matplotlib
+
+
+
+
+
vb
astro
+
+
vite
+
+
+
π
symfony
docker
android
deno
+
@
+
+
+
babel
+
+
+
+
crystal
+
+
docker
+
prometheus
sql
weaviate
+
+
+
+
preact
+
+
!
+
>=
rs
yarn
js
+
+
+
+
swift
+
graphql
$
+
+
+
+
+
_
+
hugging
+
+
+
https
+
vim
objc
zig
<=
cargo
quarkus
+
+
elm
*
+
+
+
+
android
Back to Blog
Setting Up SSH Server in Alpine Linux 🔐
alpine-linux ssh openssh

Setting Up SSH Server in Alpine Linux 🔐

Published Mar 25, 2025

Complete guide to installing and configuring OpenSSH server on Alpine Linux. Learn security hardening, key management, and advanced SSH configurations.

14 min read
0 views
Table of Contents

Setting Up SSH Server in Alpine Linux

SSH (Secure Shell) is essential for remote server management. Alpine Linux provides OpenSSH for secure remote access. Let’s set up a robust and secure SSH server! 🔒

Understanding SSH in Alpine Linux

SSH provides:

  • Encrypted Communication: All data is encrypted
  • Authentication: Multiple authentication methods
  • Port Forwarding: Tunnel other protocols
  • File Transfer: SCP and SFTP support
  • Remote Command Execution: Run commands remotely

Prerequisites

Before setting up SSH:

  • Alpine Linux system with root access
  • Network connectivity
  • Basic understanding of Linux permissions
  • Security awareness

Step 1: Install OpenSSH Server

Install OpenSSH Package

# Update package repository
sudo apk update

# Install OpenSSH server
sudo apk add openssh

# Install additional SSH utilities
sudo apk add openssh-client openssh-sftp-server

Verify Installation

# Check SSH version
ssh -V

# Check sshd version
sshd -V

# List SSH-related files
apk info -L openssh

Step 2: Initial SSH Configuration

Configure SSH Service

# Enable SSH service at boot
sudo rc-update add sshd default

# Start SSH service
sudo rc-service sshd start

# Check service status
sudo rc-service sshd status

Basic Configuration File

# Backup original configuration
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

# Edit SSH configuration
sudo nano /etc/ssh/sshd_config

Step 3: Security Hardening

Essential Security Settings

# Edit sshd_config for security
sudo nano /etc/ssh/sshd_config

Add/modify these settings:

# SSH Port (change from default 22)
Port 2222

# Protocol version (only use v2)
Protocol 2

# Disable root login
PermitRootLogin no

# Disable password authentication (after setting up keys)
PasswordAuthentication no
PubkeyAuthentication yes

# Disable empty passwords
PermitEmptyPasswords no

# Maximum authentication attempts
MaxAuthTries 3

# Login grace time
LoginGraceTime 60

# Strict mode
StrictModes yes

# Disable X11 forwarding (unless needed)
X11Forwarding no

# Disable TCP forwarding (unless needed)
AllowTcpForwarding no

# Client alive settings
ClientAliveInterval 300
ClientAliveCountMax 2

# Host keys
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and algorithms (strong only)
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

Apply Configuration

# Test configuration
sudo sshd -t

# Restart SSH service
sudo rc-service sshd restart

Step 4: SSH Key Management

Generate Host Keys

# Generate new host keys (if needed)
sudo ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""

# Set proper permissions
sudo chmod 600 /etc/ssh/ssh_host_*_key
sudo chmod 644 /etc/ssh/ssh_host_*_key.pub

Create User SSH Keys

# As regular user, generate SSH key pair
ssh-keygen -t ed25519 -C "[email protected]"

# Or use RSA (4096 bits)
ssh-keygen -t rsa -b 4096 -C "[email protected]"

# Set correct permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_*
chmod 644 ~/.ssh/id_*.pub

Set Up Authorized Keys

# Create SSH directory for user
mkdir -p ~/.ssh
chmod 700 ~/.ssh

# Add public key to authorized_keys
cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys

# Or copy from another machine
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@alpine-server

# Set correct permissions
chmod 600 ~/.ssh/authorized_keys

Step 5: Advanced Authentication

Configure Two-Factor Authentication

# Install Google Authenticator
sudo apk add google-authenticator openssh-server-pam

# Configure PAM
sudo nano /etc/pam.d/sshd

Add to PAM configuration:

# Two-factor authentication
auth required pam_google_authenticator.so

Update SSH configuration:

# In /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
UsePAM yes

Set Up Certificate Authentication

# Generate CA key
ssh-keygen -t ed25519 -f ssh_ca_key -C "SSH CA Key"

# Sign user key
ssh-keygen -s ssh_ca_key -I [email protected] -n user -V +52w user_key.pub

# Configure SSH to trust CA
echo "TrustedUserCAKeys /etc/ssh/ca.pub" >> /etc/ssh/sshd_config

Step 6: Access Control

User and Group Restrictions

# In /etc/ssh/sshd_config

# Allow specific users
AllowUsers alice bob charlie

# Allow specific groups
AllowGroups sshusers admin

# Deny specific users
DenyUsers baduser

# Deny specific groups
DenyGroups notssh

IP-based Restrictions

# Allow from specific IPs
Match Address 192.168.1.0/24
    PasswordAuthentication yes

Match Address 10.0.0.0/8
    PubkeyAuthentication yes

# Restrict user to specific IP
Match User alice Address 192.168.1.100
    AllowTcpForwarding yes

Chroot Restrictions

# Chroot SFTP users
Match Group sftponly
    ChrootDirectory /home/%u
    ForceCommand internal-sftp
    AllowTcpForwarding no
    X11Forwarding no

Set up chroot environment:

# Create user for SFTP only
sudo adduser -D sftpuser
sudo passwd sftpuser

# Create chroot structure
sudo mkdir -p /home/sftpuser/{uploads,downloads}
sudo chown root:root /home/sftpuser
sudo chmod 755 /home/sftpuser
sudo chown sftpuser:sftpuser /home/sftpuser/{uploads,downloads}

Step 7: SSH Banner and MOTD

Configure Login Banner

# Create banner file
sudo nano /etc/ssh/banner.txt

Add warning message:

********************************************************************
*                      AUTHORIZED ACCESS ONLY                      *
* Unauthorized access to this system is forbidden and will be      *
* prosecuted by law. By accessing this system, you consent to     *
* monitoring and recording of all activities.                      *
********************************************************************

Update SSH configuration:

# In /etc/ssh/sshd_config
Banner /etc/ssh/banner.txt

Configure MOTD

# Edit message of the day
sudo nano /etc/motd

Add system information:

Welcome to Alpine Linux SSH Server

System Information:
- Hostname: $(hostname)
- Kernel: $(uname -r)
- Uptime: $(uptime -p)

Please follow security policies and report any issues.

Step 8: Port Forwarding and Tunneling

Configure Port Forwarding

# In /etc/ssh/sshd_config

# Enable forwarding for specific users
Match User developer
    AllowTcpForwarding yes
    PermitOpen localhost:3000 localhost:8080

# Enable gateway ports
GatewayPorts clientspecified

SSH Tunnel Examples

# Local port forwarding (client)
ssh -L 8080:localhost:80 user@server

# Remote port forwarding (client)
ssh -R 9090:localhost:3000 user@server

# Dynamic port forwarding (SOCKS proxy)
ssh -D 1080 user@server

# Persistent tunnel with autossh
autossh -M 20000 -f -N -L 8080:localhost:80 user@server

Step 9: Monitoring and Logging

Configure SSH Logging

# In /etc/ssh/sshd_config
LogLevel VERBOSE
SyslogFacility AUTH

Set Up Log Monitoring

# Monitor SSH logs in real-time
tail -f /var/log/messages | grep sshd

# Check authentication attempts
grep "sshd" /var/log/messages | grep -E "(Accepted|Failed)"

# Create log analysis script
cat > /usr/local/bin/ssh-log-monitor.sh << 'EOF'
#!/bin/sh

echo "=== SSH Login Analysis ==="
echo "Date: $(date)"
echo

echo "Successful logins:"
grep "sshd.*Accepted" /var/log/messages | tail -10

echo -e "\nFailed attempts:"
grep "sshd.*Failed" /var/log/messages | tail -10

echo -e "\nTop IPs with failed attempts:"
grep "sshd.*Failed" /var/log/messages | \
    grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | \
    sort | uniq -c | sort -rn | head -10
EOF

chmod +x /usr/local/bin/ssh-log-monitor.sh

Step 10: Fail2ban Integration

Install and Configure Fail2ban

# Install fail2ban
sudo apk add fail2ban

# Configure for SSH
sudo nano /etc/fail2ban/jail.local

Add configuration:

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/messages
maxretry = 3
bantime = 3600

Start fail2ban:

sudo rc-update add fail2ban default
sudo rc-service fail2ban start

Step 11: Performance Optimization

Connection Multiplexing

# Client-side SSH config
cat >> ~/.ssh/config << 'EOF'
Host *
    ControlMaster auto
    ControlPath ~/.ssh/control:%h:%p:%r
    ControlPersist 10m
    Compression yes
    ServerAliveInterval 60
    ServerAliveCountMax 3
EOF

Server Optimization

# In /etc/ssh/sshd_config
UseDNS no
GSSAPIAuthentication no
Compression delayed
TCPKeepAlive yes

Step 12: Backup and Recovery

Backup SSH Configuration

#!/bin/sh
# SSH backup script

BACKUP_DIR="/backup/ssh"
DATE=$(date +%Y%m%d_%H%M%S)

mkdir -p $BACKUP_DIR

# Backup configuration files
tar -czf $BACKUP_DIR/ssh_config_$DATE.tar.gz \
    /etc/ssh/sshd_config \
    /etc/ssh/ssh_config \
    /etc/ssh/ssh_host_*_key* \
    /etc/ssh/ca.pub

# Backup user keys
tar -czf $BACKUP_DIR/ssh_users_$DATE.tar.gz \
    /home/*/.ssh/authorized_keys

echo "SSH backup completed: $BACKUP_DIR"

Troubleshooting Common Issues

Connection Refused

# Check if SSH is running
ps aux | grep sshd

# Check if port is listening
netstat -tlnp | grep :2222

# Check firewall
iptables -L -n | grep 2222

Authentication Failures

# Debug SSH connection
ssh -vvv user@server

# Check permissions
ls -la ~/.ssh/
ls -la ~/.ssh/authorized_keys

# Check SSH logs
sudo tail -f /var/log/messages | grep sshd

Performance Issues

# Check system resources
top
free -m

# Monitor network
iftop -i eth0

# Check SSH connections
ss -tn | grep :2222

Security Best Practices

  1. Use Key-Based Authentication: Disable password authentication
  2. Change Default Port: Move away from port 22
  3. Limit User Access: Use AllowUsers/AllowGroups
  4. Regular Updates: Keep OpenSSH updated
  5. Monitor Logs: Watch for suspicious activity
  6. Use Fail2ban: Prevent brute force attacks
  7. Strong Encryption: Use modern ciphers only
  8. Regular Audits: Review configurations periodically

SSH Client Configuration

Create a secure client configuration:

# ~/.ssh/config
Host alpine-server
    HostName server.example.com
    Port 2222
    User myuser
    IdentityFile ~/.ssh/id_ed25519
    IdentitiesOnly yes
    ForwardAgent no
    ForwardX11 no
    PermitLocalCommand no
    HashKnownHosts yes
    SendEnv LANG LC_*

Conclusion

You’ve successfully set up a secure SSH server on Alpine Linux! Your configuration now includes:

✅ Hardened SSH security settings ✅ Key-based authentication ✅ Access control and restrictions ✅ Monitoring and logging ✅ Fail2ban protection ✅ Performance optimizations

Remember: SSH security is crucial for server protection. Regularly review and update your configuration! 🔐