SSH Tips for Professionals

SSH is one of the most used tools by us and by most developers. In this blog we share a number of tips that make SSH both more secure and efficient. These tips are not only applicable to our high performance web servers, but also to your own internal servers. We assume that you are using a recent version of OpenSSH (both client and server). In the examples we use "d-example.host-ed.eu" as the server address. Replace this with your own server address.

What is SSH?

SSH stands for Secure Shell and allows you to log in to another computer or server remotely in a secure, encrypted way. This allows you to work on the machine you are logged in to and exchange data securely. Because the connection is encrypted, malicious parties cannot simply intercept your passwords.

How do you use SSH?

SSH enables secure communication between computers or servers. To use SSH, first download an SSH client, which allows you to generate an SSH key. After that, you can connect to other servers, provided your hosting provider supports SSH. At LinQhost, we are happy to help you with the installation of SSH, so feel free to contact us for more information.

Tips for a better SSH experience

1. Tip 1: Call MySQL server remotely via SSH

Want to access your database from a remote location without compromising security? A simple and secure solution is to set up a MySQL tunnel via an SSH connection. On your local machine, enter the following command:

ssh -L 3307:127.0.0.1:3306 your_user@d-example.host-ed.eu -p 22622

This command allows you to connect locally to the MySQL server using port 3307, while the SSH tunnel makes the communication secure.

1. Tip 2: Improve your OpenSSH server encryption

The default configuration of OpenSSH is often quite lenient, meaning that obsolete algorithms such as SHA1 are still allowed. SHA1 is considered insecure and you do not want to use it. To improve your security, adjust the configuration by adding the following lines to the sshd_config file:

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

Don't forget to restart your OpenSSH server after making these changes!

The result should then look something like this:

1. Tip 3: Use ECDSA for better performance

Traditionally, SSH-RSA is used to establish secure connections, but this requires a lot of processing power, especially with keys of 4096 bits. An alternative is to use ECDSA, a key type that provides the same security with fewer bits. You can generate an ECDSA key with the following command:

ssh-keygen -t ecdsa -b 521

This will ensure faster connections and better performance, especially when using recent SSH clients.

1. Tip 4: Turn on compression for faster connections

Many people forget that you can speed up your data connection by enabling compression during your SSH session. This is especially useful on slow connections. Add the -C parameter to your SSH command to enable compression:

ssh -C d-example.host-ed.eu -p 22622

If you want to enable compression by default, add the line Compression yes to your SSH configuration file (~/.ssh/config).

• Related Articles

• Automatic SSH deployment

  The portal offers the possibility to automatically roll out SSH keys of portal users, who are members of your team, to the different servers. Under “SSH User keys” it is explained how you can do this as a user. If you remove a team member from your ...

• Suppress SSH login notifications

  We regularly see that the so-called deploy services suffer from output that we generate when logging in via SSH (e.g. pre-login/motd). This output has the function to show the user important information, but in the case of automatic processes this is ...

• Prevent outgoing email abuse

  It can happen that a server is put on a so-called blacklist, often because a customer unintentionally sends spam. This causes problems for you and other customers, because legitimate emails can be rejected by services such as Gmail, Hotmail or ...

• Optimize your security with a security.txt policy

  At LinQhost, security always comes first. However, it can happen that something is overlooked, no matter how careful you are. Fortunately, there are ethical hackers, also called white hat hackers, who like to track down and report vulnerabilities. ...

• Creating a database backup

  Before you make any changes to your web application, it is always a good idea to make a backup of your database first. If something goes wrong, you can easily go back to the original situation. Fortunately, making a database backup is quite easy, as ...