SSH Administration on Linux — Server, Keys, Hardening, SCP, SFTP & Tunneling

[Murali Krishna]

SSH Administration on Linux — Server, Keys, Hardening, SCP, SFTP & Tunneling
A clear, practical guide to secure remote access and file transfer, with copy-ready commands (AlmaLinux 9 / RHEL 9)

─────────────────────────────────────────

What is SSH, in plain words?
SSH (Secure Shell) is an encrypted tunnel between two machines. It lets you log in to a remote server's command line, copy files, and forward network traffic — all scrambled so nobody on the network can read it. It's the standard way every Linux server is administered remotely.

─────────────────────────────────────────

1 SSH Server — getting it running

The server side is the sshd service (OpenSSH daemon). It's usually pre-installed on AlmaLinux 9.

Install, enable and check

Code: Select all

dnf install -y openssh-server        # install if missing
systemctl enable --now sshd          # start now + at every boot
systemctl status sshd                # confirm it's running

Open the firewall (firewalld on AlmaLinux 9)

Code: Select all

firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload

Connect from another machine

Code: Select all

ssh username@192.168.1.50            # default port 22
ssh -p 2222 username@192.168.1.50    # if you changed the port

Tip: The main config file is /etc/ssh/sshd_config. After any change, test it with "sshd -t" before restarting, so a typo doesn't lock you out.

─────────────────────────────────────────

2 Key Authentication — log in without passwords

Instead of typing a password, you use a key pair: a private key that stays secret on your machine, and a public key you place on the server. Think of it as a lock (public) and the only matching key (private). It's far more secure than a password and can't be brute-forced.

Step 1 — Generate a key pair (on your client)

Code: Select all

ssh-keygen -t ed25519 -C "you@example.com"
# Ed25519 is modern and strong. Accept the default path, set a passphrase.

Step 2 — Copy the public key to the server

Code: Select all

ssh-copy-id -p 22 username@192.168.1.50
# This appends your public key to the server's ~/.ssh/authorized_keys

Step 3 — Test it

Code: Select all

ssh username@192.168.1.50            # should log in using the key, no password

WARNING: Never share or copy your PRIVATE key (the file without ".pub"). Only the .pub file goes on servers. Protect the private key with a passphrase so a stolen laptop doesn't equal a stolen server.

─────────────────────────────────────────

3 SSH Hardening — lock the front door

Once key login works, tighten the server. Edit /etc/ssh/sshd_config and set these:

Recommended settings

Code: Select all

PermitRootLogin no              # never log in directly as root
PasswordAuthentication no       # keys only - disables password guessing
PubkeyAuthentication yes        # allow key auth
Port 2222                       # optional: move off the default 22
AllowUsers murali admin         # only these users may log in
MaxAuthTries 3                  # fewer guesses before disconnect
ClientAliveInterval 300         # drop idle sessions after 5 min
X11Forwarding no                # off unless you need GUI forwarding

If you change the port, tell SELinux and firewalld first

Code: Select all

semanage port -a -t ssh_port_t -p tcp 2222     # SELinux: allow new port
firewall-cmd --permanent --add-port=2222/tcp
firewall-cmd --reload

Apply changes safely

Code: Select all

sshd -t                         # syntax-check the config FIRST
systemctl restart sshd

WARNING — don't lock yourself out: Before setting PasswordAuthentication no, make 100% sure key login already works. Keep a second SSH session open while testing, so if something breaks you still have a way back in.

─────────────────────────────────────────

4 SCP — copy files quickly

SCP copies files over SSH in a single command — great for one-off transfers.

Copy TO the server (upload)

Code: Select all

scp file.txt username@192.168.1.50:/home/username/
scp -P 2222 file.txt username@192.168.1.50:/tmp/    # note: capital -P for port

Copy FROM the server (download)

Code: Select all

scp username@192.168.1.50:/var/log/app.log ./

Copy a whole folder

Code: Select all

scp -r myfolder/ username@192.168.1.50:/home/username/

Tip: scp uses capital -P for the port, while ssh uses lowercase -p. Easy to mix up.

─────────────────────────────────────────

5 SFTP — interactive file transfer

SFTP is like an FTP session but fully encrypted over SSH. Good when you want to browse and move several files interactively.

Start a session and move around

Code: Select all

sftp username@192.168.1.50

# inside the sftp prompt:
ls                 # list remote files
lls                # list LOCAL files
cd /var/www        # change remote directory
get report.pdf     # download a file
put backup.tar.gz  # upload a file
bye                # quit

Tip: Commands starting with "l" (lls, lcd) act on your LOCAL machine; the others act on the remote server.

─────────────────────────────────────────

6 SSH Tunneling — forwarding traffic securely

Tunneling wraps other network traffic inside the encrypted SSH connection. Useful for reaching services that aren't exposed to the internet.

Local forwarding — reach a remote service as if it were local

Code: Select all

# "Make the server's database (port 3306) appear on my localhost:3306"
ssh -L 3306:localhost:3306 username@192.168.1.50
# Now connect a local tool to 127.0.0.1:3306

Remote forwarding — expose a local service to the remote side

Code: Select all

# "Let the server reach my local app (port 8080) via its own localhost:8080"
ssh -R 8080:localhost:8080 username@192.168.1.50

Dynamic forwarding — a quick SOCKS proxy

Code: Select all

ssh -D 1080 username@192.168.1.50
# Point your browser's SOCKS proxy at 127.0.0.1:1080 to browse via the server

Tip: Remember the directions: -L = pull a remote service toward you (Local). -R = push a local service out to the remote (Remote). -D = a flexible SOCKS proxy (Dynamic).

─────────────────────────────────────────

Quick Reference Cheat Sheet

• Connect — ssh user@host (use -p PORT)
• Enable server — systemctl enable --now sshd
• Open firewall — firewall-cmd --permanent --add-service=ssh ; --reload
• Make key — ssh-keygen -t ed25519
• Install key — ssh-copy-id user@host
• Test config — sshd -t
• Harden — PermitRootLogin no ; PasswordAuthentication no
• Change port (SELinux) — semanage port -a -t ssh_port_t -p tcp 2222
• Upload (scp) — scp file user@host:/path/ (use -P PORT)
• Download (scp) — scp user@host:/path/file ./
• Interactive transfer — sftp user@host
• Local tunnel — ssh -L 3306:localhost:3306 user@host
• Remote tunnel — ssh -R 8080:localhost:8080 user@host
• SOCKS proxy — ssh -D 1080 user@host

─────────────────────────────────────────

How do you harden SSH on your boxes — custom port, keys only, fail2ban, allowlists? Share your config below.