hoborg/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3978d184ac73f069e70470738aedf55f32104ea3
homelab/ssh-setup-guide.md
Krejczinger Árpád 3978d184ac Enhance SSH security documentation and update arch install notes 
- ssh-setup-guide.md: Added comprehensive security hardening section with:
  * Non-standard port configuration (Port 2222)
  * Advanced SSH hardening settings (MaxAuthTries, ClientAlive, AllowUsers)
  * Dynamic DNS setup for remote access (DuckDNS, No-IP, Cloudflare)
  * fail2ban installation and VPN considerations
  * Additional security steps checklist

- arch-install-notes.md: Updated post-installation priorities with yadm setup

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-07-30 17:05:30 +02:00

4.8 KiB
Raw Blame History

SSH Connection Setup Guide

On the Arch Linux ThinkPad (Server Side)

1. Install and Enable SSH Server

# Install OpenSSH
sudo pacman -S openssh

# Enable and start SSH service
sudo systemctl enable sshd
sudo systemctl start sshd

# Check if SSH is running
sudo systemctl status sshd

2. Configure SSH Server

# Edit SSH configuration
sudo nano /etc/ssh/sshd_config

# Recommended security settings:
# Port 22 (or change to custom port)
# PermitRootLogin no
# PasswordAuthentication yes (initially, then switch to key-based)
# PubkeyAuthentication yes

# Restart SSH after configuration changes
sudo systemctl restart sshd

3. Get the ThinkPad's IP Address

# Find local IP address
ip addr show
# or
hostname -I

4. Configure Firewall (if using ufw)

# Install and enable firewall
sudo pacman -S ufw
sudo ufw enable

# Allow SSH connections
sudo ufw allow ssh
# or for custom port: sudo ufw allow 2222

On WSL/Windows PC (Client Side)

1. Generate SSH Key Pair (if not already done)

# Generate new SSH key
ssh-keygen -t ed25519 -C "your-email@example.com"

# Or use RSA if ed25519 not supported
ssh-keygen -t rsa -b 4096 -C "your-email@example.com"

# Keys will be saved to ~/.ssh/id_ed25519 and ~/.ssh/id_ed25519.pub

2. Copy Public Key to ThinkPad

# Method 1: Using ssh-copy-id (easiest)
ssh-copy-id username@thinkpad-ip-address

# Method 2: Manual copy
cat ~/.ssh/id_ed25519.pub | ssh username@thinkpad-ip-address "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

# Method 3: SCP the key file
scp ~/.ssh/id_ed25519.pub username@thinkpad-ip-address:~/.ssh/authorized_keys

3. Test SSH Connection

# Connect using password initially
ssh username@thinkpad-ip-address

# After key setup, should connect without password
ssh username@thinkpad-ip-address

4. Create SSH Config for Easy Access

# Edit SSH config
nano ~/.ssh/config

# Add entry for ThinkPad
Host thinkpad
    HostName thinkpad-ip-address
    User your-username
    Port 22
    IdentityFile ~/.ssh/id_ed25519

# Now you can connect with: ssh thinkpad

Security Hardening (After Key-Based Auth Works)

On ThinkPad:

# Edit SSH config to disable password authentication
sudo nano /etc/ssh/sshd_config

# Basic hardening settings:
# PasswordAuthentication no
# PermitEmptyPasswords no
# ChallengeResponseAuthentication no
# PermitRootLogin no
# Protocol 2

# Advanced hardening (optional):
# Port 2222  # Change from default port 22
# MaxAuthTries 3
# ClientAliveInterval 300
# ClientAliveCountMax 2
# AllowUsers your-username  # Restrict to specific users

# Restart SSH
sudo systemctl restart sshd

Additional Security Steps:

  • Change SSH port: Edit Port 22 to custom port (e.g., Port 2222)
  • Install fail2ban: sudo pacman -S fail2ban && sudo systemctl enable fail2ban
  • Configure firewall: Update ufw rules for new SSH port if changed
  • Set up dynamic DNS: For remote access (DuckDNS, No-IP, Cloudflare)
  • Consider VPN: For secure remote access instead of exposing SSH

Setting Up Hostname Resolution

Method 1: Using /etc/hosts (Simple, Local Only)

On WSL/Linux:

# Edit hosts file
sudo nano /etc/hosts

# Add entry for ThinkPad
192.168.1.100  thinkpad
192.168.1.100  thinkpad.local

# Now you can use: ssh username@thinkpad

On Windows:

# Edit hosts file (run as Administrator)
notepad C:\Windows\System32\drivers\etc\hosts

# Add the same entries:
192.168.1.100  thinkpad
192.168.1.100  thinkpad.local

Method 2: Set Static Hostname on ThinkPad

# On ThinkPad, set a memorable hostname
sudo hostnamectl set-hostname thinkpad

# Edit /etc/hosts on ThinkPad to include itself
sudo nano /etc/hosts
# Add: 127.0.0.1  thinkpad thinkpad.local

Method 3: Router-Level DNS (Best for Multiple Devices)

  • Access your router's admin panel (usually 192.168.1.1 or 192.168.0.1)
  • Look for "DHCP Reservations" or "Static IP" settings
  • Assign a static IP to ThinkPad's MAC address
  • Set hostname in router's DNS settings

Update SSH Config

# Update ~/.ssh/config to use hostname
nano ~/.ssh/config

Host thinkpad
    HostName thinkpad  # or thinkpad.local
    User your-username
    Port 22
    IdentityFile ~/.ssh/id_ed25519

Troubleshooting

Common Issues:

  • Connection refused: Check if sshd is running, firewall allows SSH
  • Permission denied: Verify username/password, check authorized_keys permissions
  • Key not working: Ensure correct permissions on ~/.ssh (700) and authorized_keys (600)

Debug Commands:

# Check SSH service status
sudo systemctl status sshd

# View SSH logs
sudo journalctl -u sshd

# Test SSH config
sudo sshd -t

# Connect with verbose output
ssh -v username@thinkpad-ip-address