Setting Up SSH Server in Alpine Linux
SSH (Secure Shell) is essential for remote server management. Alpine Linux provides OpenSSH for secure remote access. Let’s set up a robust and secure SSH server! 🔒
Understanding SSH in Alpine Linux
SSH provides:
- Encrypted Communication: All data is encrypted
- Authentication: Multiple authentication methods
- Port Forwarding: Tunnel other protocols
- File Transfer: SCP and SFTP support
- Remote Command Execution: Run commands remotely
Prerequisites
Before setting up SSH:
- Alpine Linux system with root access
- Network connectivity
- Basic understanding of Linux permissions
- Security awareness
Step 1: Install OpenSSH Server
Install OpenSSH Package
# Update package repository
sudo apk update
# Install OpenSSH server
sudo apk add openssh
# Install additional SSH utilities
sudo apk add openssh-client openssh-sftp-server
Verify Installation
# Check SSH version
ssh -V
# Check sshd version
sshd -V
# List SSH-related files
apk info -L openssh
Step 2: Initial SSH Configuration
Configure SSH Service
# Enable SSH service at boot
sudo rc-update add sshd default
# Start SSH service
sudo rc-service sshd start
# Check service status
sudo rc-service sshd status
Basic Configuration File
# Backup original configuration
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# Edit SSH configuration
sudo nano /etc/ssh/sshd_config
Step 3: Security Hardening
Essential Security Settings
# Edit sshd_config for security
sudo nano /etc/ssh/sshd_config
Add/modify these settings:
# SSH Port (change from default 22)
Port 2222
# Protocol version (only use v2)
Protocol 2
# Disable root login
PermitRootLogin no
# Disable password authentication (after setting up keys)
PasswordAuthentication no
PubkeyAuthentication yes
# Disable empty passwords
PermitEmptyPasswords no
# Maximum authentication attempts
MaxAuthTries 3
# Login grace time
LoginGraceTime 60
# Strict mode
StrictModes yes
# Disable X11 forwarding (unless needed)
X11Forwarding no
# Disable TCP forwarding (unless needed)
AllowTcpForwarding no
# Client alive settings
ClientAliveInterval 300
ClientAliveCountMax 2
# Host keys
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and algorithms (strong only)
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
Apply Configuration
# Test configuration
sudo sshd -t
# Restart SSH service
sudo rc-service sshd restart
Step 4: SSH Key Management
Generate Host Keys
# Generate new host keys (if needed)
sudo ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
# Set proper permissions
sudo chmod 600 /etc/ssh/ssh_host_*_key
sudo chmod 644 /etc/ssh/ssh_host_*_key.pub
Create User SSH Keys
# As regular user, generate SSH key pair
ssh-keygen -t ed25519 -C "[email protected]"
# Or use RSA (4096 bits)
ssh-keygen -t rsa -b 4096 -C "[email protected]"
# Set correct permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_*
chmod 644 ~/.ssh/id_*.pub
Set Up Authorized Keys
# Create SSH directory for user
mkdir -p ~/.ssh
chmod 700 ~/.ssh
# Add public key to authorized_keys
cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys
# Or copy from another machine
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@alpine-server
# Set correct permissions
chmod 600 ~/.ssh/authorized_keys
Step 5: Advanced Authentication
Configure Two-Factor Authentication
# Install Google Authenticator
sudo apk add google-authenticator openssh-server-pam
# Configure PAM
sudo nano /etc/pam.d/sshd
Add to PAM configuration:
# Two-factor authentication
auth required pam_google_authenticator.so
Update SSH configuration:
# In /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
UsePAM yes
Set Up Certificate Authentication
# Generate CA key
ssh-keygen -t ed25519 -f ssh_ca_key -C "SSH CA Key"
# Sign user key
ssh-keygen -s ssh_ca_key -I [email protected] -n user -V +52w user_key.pub
# Configure SSH to trust CA
echo "TrustedUserCAKeys /etc/ssh/ca.pub" >> /etc/ssh/sshd_config
Step 6: Access Control
User and Group Restrictions
# In /etc/ssh/sshd_config
# Allow specific users
AllowUsers alice bob charlie
# Allow specific groups
AllowGroups sshusers admin
# Deny specific users
DenyUsers baduser
# Deny specific groups
DenyGroups notssh
IP-based Restrictions
# Allow from specific IPs
Match Address 192.168.1.0/24
PasswordAuthentication yes
Match Address 10.0.0.0/8
PubkeyAuthentication yes
# Restrict user to specific IP
Match User alice Address 192.168.1.100
AllowTcpForwarding yes
Chroot Restrictions
# Chroot SFTP users
Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Set up chroot environment:
# Create user for SFTP only
sudo adduser -D sftpuser
sudo passwd sftpuser
# Create chroot structure
sudo mkdir -p /home/sftpuser/{uploads,downloads}
sudo chown root:root /home/sftpuser
sudo chmod 755 /home/sftpuser
sudo chown sftpuser:sftpuser /home/sftpuser/{uploads,downloads}
Step 7: SSH Banner and MOTD
Configure Login Banner
# Create banner file
sudo nano /etc/ssh/banner.txt
Add warning message:
********************************************************************
* AUTHORIZED ACCESS ONLY *
* Unauthorized access to this system is forbidden and will be *
* prosecuted by law. By accessing this system, you consent to *
* monitoring and recording of all activities. *
********************************************************************
Update SSH configuration:
# In /etc/ssh/sshd_config
Banner /etc/ssh/banner.txt
Configure MOTD
# Edit message of the day
sudo nano /etc/motd
Add system information:
Welcome to Alpine Linux SSH Server
System Information:
- Hostname: $(hostname)
- Kernel: $(uname -r)
- Uptime: $(uptime -p)
Please follow security policies and report any issues.
Step 8: Port Forwarding and Tunneling
Configure Port Forwarding
# In /etc/ssh/sshd_config
# Enable forwarding for specific users
Match User developer
AllowTcpForwarding yes
PermitOpen localhost:3000 localhost:8080
# Enable gateway ports
GatewayPorts clientspecified
SSH Tunnel Examples
# Local port forwarding (client)
ssh -L 8080:localhost:80 user@server
# Remote port forwarding (client)
ssh -R 9090:localhost:3000 user@server
# Dynamic port forwarding (SOCKS proxy)
ssh -D 1080 user@server
# Persistent tunnel with autossh
autossh -M 20000 -f -N -L 8080:localhost:80 user@server
Step 9: Monitoring and Logging
Configure SSH Logging
# In /etc/ssh/sshd_config
LogLevel VERBOSE
SyslogFacility AUTH
Set Up Log Monitoring
# Monitor SSH logs in real-time
tail -f /var/log/messages | grep sshd
# Check authentication attempts
grep "sshd" /var/log/messages | grep -E "(Accepted|Failed)"
# Create log analysis script
cat > /usr/local/bin/ssh-log-monitor.sh << 'EOF'
#!/bin/sh
echo "=== SSH Login Analysis ==="
echo "Date: $(date)"
echo
echo "Successful logins:"
grep "sshd.*Accepted" /var/log/messages | tail -10
echo -e "\nFailed attempts:"
grep "sshd.*Failed" /var/log/messages | tail -10
echo -e "\nTop IPs with failed attempts:"
grep "sshd.*Failed" /var/log/messages | \
grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | \
sort | uniq -c | sort -rn | head -10
EOF
chmod +x /usr/local/bin/ssh-log-monitor.sh
Step 10: Fail2ban Integration
Install and Configure Fail2ban
# Install fail2ban
sudo apk add fail2ban
# Configure for SSH
sudo nano /etc/fail2ban/jail.local
Add configuration:
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/messages
maxretry = 3
bantime = 3600
Start fail2ban:
sudo rc-update add fail2ban default
sudo rc-service fail2ban start
Step 11: Performance Optimization
Connection Multiplexing
# Client-side SSH config
cat >> ~/.ssh/config << 'EOF'
Host *
ControlMaster auto
ControlPath ~/.ssh/control:%h:%p:%r
ControlPersist 10m
Compression yes
ServerAliveInterval 60
ServerAliveCountMax 3
EOF
Server Optimization
# In /etc/ssh/sshd_config
UseDNS no
GSSAPIAuthentication no
Compression delayed
TCPKeepAlive yes
Step 12: Backup and Recovery
Backup SSH Configuration
#!/bin/sh
# SSH backup script
BACKUP_DIR="/backup/ssh"
DATE=$(date +%Y%m%d_%H%M%S)
mkdir -p $BACKUP_DIR
# Backup configuration files
tar -czf $BACKUP_DIR/ssh_config_$DATE.tar.gz \
/etc/ssh/sshd_config \
/etc/ssh/ssh_config \
/etc/ssh/ssh_host_*_key* \
/etc/ssh/ca.pub
# Backup user keys
tar -czf $BACKUP_DIR/ssh_users_$DATE.tar.gz \
/home/*/.ssh/authorized_keys
echo "SSH backup completed: $BACKUP_DIR"
Troubleshooting Common Issues
Connection Refused
# Check if SSH is running
ps aux | grep sshd
# Check if port is listening
netstat -tlnp | grep :2222
# Check firewall
iptables -L -n | grep 2222
Authentication Failures
# Debug SSH connection
ssh -vvv user@server
# Check permissions
ls -la ~/.ssh/
ls -la ~/.ssh/authorized_keys
# Check SSH logs
sudo tail -f /var/log/messages | grep sshd
Performance Issues
# Check system resources
top
free -m
# Monitor network
iftop -i eth0
# Check SSH connections
ss -tn | grep :2222
Security Best Practices
- Use Key-Based Authentication: Disable password authentication
- Change Default Port: Move away from port 22
- Limit User Access: Use AllowUsers/AllowGroups
- Regular Updates: Keep OpenSSH updated
- Monitor Logs: Watch for suspicious activity
- Use Fail2ban: Prevent brute force attacks
- Strong Encryption: Use modern ciphers only
- Regular Audits: Review configurations periodically
SSH Client Configuration
Create a secure client configuration:
# ~/.ssh/config
Host alpine-server
HostName server.example.com
Port 2222
User myuser
IdentityFile ~/.ssh/id_ed25519
IdentitiesOnly yes
ForwardAgent no
ForwardX11 no
PermitLocalCommand no
HashKnownHosts yes
SendEnv LANG LC_*
Conclusion
You’ve successfully set up a secure SSH server on Alpine Linux! Your configuration now includes:
✅ Hardened SSH security settings ✅ Key-based authentication ✅ Access control and restrictions ✅ Monitoring and logging ✅ Fail2ban protection ✅ Performance optimizations
Remember: SSH security is crucial for server protection. Regularly review and update your configuration! 🔐