Install and configure SSH on Debian or Ubuntu

SSH is a protocol that enables secure connections over unsecured networks. It supports the use of asymmetric encryption for user authentication. Private keys are kept locally, while public keys are stored on the remote machine.

The following configuration disables root logins on the remote machine. Only users belonging to the group ssh-users may establish a connection. Access to the remote machine is tied to the local user’s private key.

In this example, the name of the remote machine is debian-server, which has the address 192.168.1.10 on the network. sid is a user on debian-server, whereas bookworm is a user on the local machine. Choose an encryption passphrase to secure the private key that you will generate in Step 5.

On the remote machine

Step 1

Install the secure shell server with the following command:

$ sudo apt install --yes openssh-server

Step 2

If you are using ufw as a host-based firewall

Configure ufw to allow connections to the secure shell server.

$ sudo ufw limit ssh

If you are using firewalld as a host-based firewall

Configure firewalld to allow connections to the secure shell server.

$ sudo -- bash -c 'firewall-cmd --zone=public --add-service=ssh --permanent && firewall-cmd --reload && firewall-cmd --info-zone=public'

Step 3

Restrict access to the remote machine to members of a specific group. Start by creating the group ssh-users.

$ sudo addgroup --system ssh-users

Add the user sid to the group ssh-users.

$ sudo adduser sid ssh-users

On the local machine

Step 4

Install the secure shell client with the following command.

$ sudo apt install openssh-client

Step 5

Generate a new key pair for the local user bookworm:

$ ssh-keygen -t ed25519 -o -a 100

Save the key pair to the directory /home/bookworm/.ssh/. Choose a name that facilitates easy identification.

Enter file in which to save the key (/home/bookworm/.ssh/id_ed25519): ~/.ssh/id_ed25519-debian-server

The use of an appropriate passphrase to secure the private key is mandatory.

Step 6

Create the file ~/.ssh/config to configure the secure shell client.

$ nano ~/.ssh/config

Add the follwing minimal entry for the host debian-server.

Host debian-server
   Hostname 192.168.1.10
   IdentitiesOnly yes

Step 7

Deploy the public key with the following command.

$ ssh-copy-id -i ~/.ssh/id_ed25519-debian-server.pub sid@debian-server

Step 8

Log into the remote machine.

$ ssh -i ~/.ssh/id_ed25519-debian-server sid@debian-server

When prompted to confirm the authenticity of the host debian-server, type yes and press [Enter].

The authenticity of host 'debian-server (192.168.1.10)' can't be established.
ED25519 key fingerprint is SHA256:C9RxLLVbvFwVJc0L4JHzcuHQSaPHJZe/GrRDvqy6rAG.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? 

In the next step, enter the passphrase for your private key.

Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':

Step 9

On the remote machine, download a file to harden the ssh server. You are encouraged to inspect its contents.

$ sudo -- bash -c 'wget -P /etc/ssh/sshd_config.d/ --show-progress https://edafe.de/debian/sshd_config.conf'

Activate the modifications on the remote machine.

$ sudo systemctl restart ssh.service

Step 9

On the local machine, open a new terminal window and run the following command.

$ $ ssh -i ~/.ssh/id_ed25519-debian-server sid@debian-server

In the next step, enter the passphrase for your private key.

Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':

Display the active configuration for the remote ssh server and verify its settings, paying particular attention to options for maxauthtries, permitrootlogin and passwordauthentication.

$ sudo sshd -T

All done!

For more in-depth information, please see stribika’s post-Snowden advice on hardening OpenSSH server installations.

The book SSH The Secure Shell by Daniel Barrett, Richard Silverman and Robert Byrnes is still useful today and has information on other clever stuff you can do with SSH.

Install and configure nullmailer using Fastmail as a smarthost

If you want to receive status updates from your Debian or Ubuntu system in your inbox, you need to employ the help of a mail tansfer agent (MTA). nullmailer is a relay-only forwarding MTA that can be used as an alternative to more complex MTAs such as Exim, Sendmail or Postfix. Instructions for setting up Exim are available for comparison.

nullmailer can be configured to use Fastmail as a smarthost and hence ensure the deliverability of your messages. In principle, these instructions should also be applicable to service providers other than Fastmail.

In the following example configuration, debian is the hostname, bookworm the local username and linus.torvalds@fastmail.com the Fastmail username.

Step 1

Log into your Fastmail account and set up a new app password for SMTP authentication.

Step 2

Create the new directory /etc/nullmailer and the file /etc/nullmailer/adminaddr.

$ sudo mkdir /etc/nullmailer && sudo nano /etc/nullmailer/adminaddr

Your Fastmail username is the only entry in /etc/nullmailer/adminaddr.

linus.torvalds@fastmail.com

Step 3

Install the required packages.

$ sudo apt-get install --yes nullmailer mailutils

Step 4

Perform the initial configuration using debconf. Reconfigure nullmailer at any time after the initial installation using the following comand.

$ sudo dpkg-reconfigure nullmailer

Setting the mail name

Set the system mail name. If you are setting up on a home network, you should use home.arpa as the domain name.

Configuring nullmailer

Mailname of your system:

debian.home.arpa

Ok

Configuring the smarthost

Set the Fastmail server as the smarthost. Use the app password you set in Step 1.

Configuring nullmailer

Smarthosts:

smtp.fastmail.com smtp --port=587 --auth-login --starttls --user=linus.torvalds@fastmail.com --pass=password

Ok

Step 5

Test your configuration with the following command.

echo "Test mail from nullmailer on debian.home.arpa to the local root user and forwarded on to Fastmail" | mail -s "Test nullmailer" root

Check your Inbox, Linus!

The process of security

“Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products.” Bruce Schneier acknowledges that perfect computer security probably doesn’t exist. He reminds us that we need to understand our risk of exposure in order to be able to manage it.
www.schneier.com

Trust the process, Tina!

Das Fediverse: Social Media losgelöst von den Fesseln kommerzieller Interessen

“Soziale Medien werden von Plattformbetreibern dominiert, die das eigene Interesse in den Vordergrund rücken und jede Entscheidung daran messen, wie sich eine Profitmaximierung erzielen lässt. Hat man das einmal verinnerlicht, wirft sich einem unweigerlich die Frage auf, was an sozialen Medien eigentlich sozial ist. Sozial bedeutet anderen zu helfen, was auch bedeuten kann, die eigenen Interessen zurückzustellen. Also im Grunde genau das Gegenteil dessen, wie kommerziell ausgerichtete Plattformen wie Twitter, Facebook und Co. agieren.”
Mike Kuketz erklärt die Idee des Fediverse und unterstreicht, warum es sich damit so grundlegend von Platformen wie Twitter und Facebook unterscheidet. Dieser Beitrag ist von großer Wichtigkeit, nicht nur für die Nutzer der sozialen Medien…
www.kuketz-blog.de

Jan Böhmermann ist auch auf Mastodon!

Twitter buyout puts Mastodon into spotlight

“Mastodon is used to publish 500-character messages with pictures, polls, videos and so on to an audience of followers, and, in turn, to follow interesting people and receive their posts in a chronological home feed. Unlike Twitter, there is no central Mastodon website – you sign up to a provider that will host your account, similarly to signing up for Outlook or Gmail, and then you can follow and interact with people using different providers. Anyone can become such a provider as Mastodon is free and open-source. It has no ads, respects your privacy, and allows people/communities to self-govern.” Eugen Rochko preempted the planned aquisition of Twitter by a mere 6 years.
joinmastodon.org

They stormed the Capitol. Their apps tracked them.

“The location-tracking industry exists because those in power allow it to exist. Plenty of Americans remain oblivious to this collection through no fault of their own. But many others understand what’s happening and allow it anyway. They feel powerless to stop it or were simply seduced by the conveniences afforded in the trade-off. The dark truth is that, despite genuine concern from those paying attention, there’s little appetite to meaningfully dismantle this advertising infrastructure that undergirds unchecked corporate data collection.” Charlie Warzel and Stuart A. Thompson show the ease with which supposedly anonymised data from your smartphone is re-identified. From nothing to hide to nowhere to hide—we are all Americans now.
www.nytimes.com

Die AAA-Bürger

“So wie Alibaba und Amazon wissen, wofür sich ihre Nutzer interessieren und was sie als Nächstes kaufen könnten, will der chinesische Staat aus den Datenspuren seiner Bürger ableiten, wie sie sich in der Vergangenheit verhalten haben und in der Zukunft verhalten könnten und sie nach einem Punktesystem entsprechend bewerten. Wer zum Beispiel über das Internet gesunde Babynahrung bestellt, soll Pluspunkte erhalten. Wer sich hingegen Pornos ansieht oder zu viel Zeit mit Computerspielen verbringt, muss mit Abzügen rechnen.” Da trifft es sich gut, daß Felix Lee nichts zu verbergen hat und ein solcher Umgang mit Nutzerdaten überhaupt nur in China in Erwägung gezogen wird…
www.zeit.de

With thanks to Michael August

Swipe my race: If you’re only dating someone for their skin colour, you should consider why

“I don’t think the stereotypes evolve as quickly as society evolves. I don’t think we get enough varied stereotypes as society is varied, because society is moving so quickly. Especially in a city like London. We’re so diverse, all of us, and the stereotypes don’t keep up.”

Wie, Du bist nicht bei Whatsapp?

“Wer Whatsapp liebt, sollte besser nicht weiterlesen, oder vielleicht gerade dann, denn Liebe macht ja bekanntlich oft blind.” Boris Pohler, selbst Lehrer und Vater von zwei Kindern, bennent den Preis für die Verwendung des weit verbreiteten Dienstes und erklärt, warum jeder Nutzer gegen deutsches Recht verstößt.
blog.pohlers-web.de

You are the product

“What this means is that even more than it is in the advertising business, Facebook is in the surveillance business. Facebook, in fact, is the biggest surveillance-based enterprise in the history of mankind. It knows far, far more about you than the most intrusive government has ever known about its citizens. It’s amazing that people haven’t really understood this about the company. I’ve spent time thinking about Facebook, and the thing I keep coming back to is that its users don’t realise what it is the company does. What Facebook does is watch you, and then use what it knows about you and your behaviour to sell ads. I’m not sure there has ever been a more complete disconnect between what a company says it does—‘connect’, ‘build communities’—and the commercial reality. Note that the company’s knowledge about its users isn’t used merely to target ads but to shape the flow of news to them. Since there is so much content posted on the site, the algorithms used to filter and direct that content are the thing that determines what you see: people think their news feed is largely to do with their friends and interests, and it sort of is, with the crucial proviso that it is their friends and interests as mediated by the commercial interests of Facebook. Your eyes are directed towards the place where they are most valuable for Facebook.” John Lanchester does not know what will happen should this $450 billion penny ever drop.
www.lrb.co.uk

How not to get phished

“Most humans can tell the difference most of the time, but if they are tired, or stressed, or in a rush, or have any number of other common obstacles to computer use, there’s a good chance they won’t notice the difference, will type their password into the wrong site, and will have their account taken over by bad guys.” Jacob Hoffman-Andrews identifies password managers as the average human’s best defence against phishing attacks.
jacob.hoffman-andrews.com

Teaching humility in an age of arrogance

“Everything from the ads we read to the political news in our Facebook feed is tailored to our preferences. That’s incredibly useful for buying shoes and finding good restaurants. It is easier than ever to get and share information, but the information we get often reflects ourselves as much as it does anything else. Less noticed is that this has an effect not only on how we regard others, but on how we regard ourselves.” Michael Patrick Lynch suggests we take greater care to balance humility and conviction.
www.chronicle.com

Conversations

“Welcome to this introduction to Conversations. It is gonna be a great introduction. It’s gonna be fabulous. Other instant messengers have fought Conversations for many years, but they couldn’t beat it. Just couldn’t do it. Total loosers. They’re all dead now. All the other messengers have failed. Forget WhatsApp, okay? Signal …total disaster. Threema is so bad, it’s not even a real messenger. It’s fake. Threema is a fake messenger. Converstations has got to be the best messenger in the world. It’s huge. OMEMO. You’ll love it. Best protocol. Tremendous. Absolutely fantastic. Nobody has messengers better than Conversations. This messenger is so big, you can even see it from the moon. And I am going to make you pay for it. It’s true. Important people tell me that Conversations is so great, it’s unbelievable. So great, it’s beautiful. Conversations is the best instant messenger that God ever created.”
conversations.im

The swedish kings of cyberwar

“Among the many questions posed by Scandinavia’s embrace of mass surveillance is one that has lingered at the margins throughout the Snowden debate: Are advanced democracies any different than their authoritarian counterparts in seeking to gain broad access into the private lives of citizens?” Hugh Eakin shines a light on the underreported activities of Sweden’s FRA in spying on people everywhere.
www.nybooks.com

With thanks to Michael August

We let technology into our lives. And now it’s starting to control us

“Our concern about government snooping sometimes distracts from self-awareness of our complicity as consumers of products so ubiquitous they have become everyday verbs.” Rachel Holmes is joining the resistance, because the so-called neutral platforms in reality facilitate hate against women, racism and homophobia.
www.theguardian.com

Complexity is the enemy of security: how to stay relevant in a hacked world

“And one way to fight back is through Open Source. To make sure that the systems we use are trustworthy and can be verified and can be veryfied by anybody [sic]. Relying on Open Source to bring us privacy and trustworthy security is a crucial point for our future on the Internet. The Utopia is gone, it’s not coming back. But we can do what we can to maintain as much trust on the Internet as possible. And openess is key to trust. Without openess there is no trust—without trust there is no democracy.”
Mikko Hypponen

How surveillance stifles dissent on the Internet

“People who said they had ‘nothing to hide’ were in fact more likely to censor themselves.” Kaveh Waddell reports on resarch by Elizabeth Stoycheff that, given current practices of government and comercial entities around the world, rules out the Internet as a tool to promote democracy.
www.theatlantic.com

“This structure of surveillance will stop us doing things which are right, that we know we should be doing.”
Anthony Barnett speaking in October 2013