ServerBuddies Support Blog

SSHfs: mounting remote filesystem over ssh?

What is sshfs ?

SSHFS is a filesystem client based on the SSH File Transfer Protocol. It uses the the Filesystem in userspace (FUSE) framework by Miklos Szeredi.

Advantages of SSHFS

While sshfs may not be as fast and featureful as other full-blown network filesystems such as NFS or Samba, it still has some great features:

1. Very easy to use, on the server side there’s nothing to do, on the client side mounting the filesystem is as easy as logging into the server with ssh

2. Provides secure (encrypted) access to remote files

3. Has decent performance (multithreaded, caching directory contents and allowing large reads)

4. Should work well even over slow and/or unstable links (think dialup), knows how to reconnect to the server when the connection is broken

Requirements

Fuse Kernel module must be installed and loaded before using sshfs.

Packages Required

1. Kernel Source ( for the current running kernel )

2. FUSE : http://jaist.dl.sourceforge.net/sourceforge/fuse/fuse-2.5.3.tar.gz

3. SSHFS-FUSE : http://jaist.dl.sourceforge.net/sourceforge/fuse/sshfs-fuse-1.6.tar.gz

4. OpenSSH client

Installing and configuring SSHFS

Installing FUSE

1. Download the FUSE kernel module source from http://jaist.dl.sourceforge.net/sourceforge/fuse/fuse-2.5.3.tar.gz
#wget http://jaist.dl.sourceforge.net/sourceforge/fuse/fuse-2.5.3.tar.gz

2. Go to your kernel source directory and prepare it if it is a fresh kernel source

3. Untar the FUSE package and change directory to the source directory of FUSE

4. Configure the Fuse source package .

5. Build the fuse module and install it

6. Load Fuse module into kernel

Installing SSHFS

1. Download the sshfs-fuse package from http://jaist.dl.sourceforge.net/sourceforge/fuse/sshfs-fuse-1.6.tar.gz

2. Untar the source package and change directory to sshfs-fuse source directory

3. Build and install the sshfs

Using SSHFS

You can mount a remote directory using the command sshfs @host: eg:

If the sshd on remote server is listening on an alternateport, you can use -oport= eg: For sshd listening on 2222

To unmount the filesystem, you can use fusermount -u eg:

Disable direct root login via ssh

Please follow the given steps to disable direct root login access to the server via shell prompt.

STEP 1: Create a user and add it to the wheel group

SSH into your server as root and follow the below commands to create a user.

You can create any user instead of “test”.

STEP 2: Add user to wheel group

You can add the user at the end of the ‘group’ file.

Add the user test:

For CPanel Servers, do the following.

1. Log into your WHM and click on “Manage Wheel Group Users”.

2. Select the user (Here it is “test”) and click ‘Add to group’.

3. Before disable the root access, check if the user can login and su – to gain root privileges.

SSH into your server as ‘test’

Login as: test

Password : enteryouruserpasswordhere

su –

password: enter root password here

STEP 3: Disable Direct Root Login

1. Copy and paste this line to edit the file for SSH logins

2. Find the line

3. Uncomment it (Remove #) and change it to look like

4. Next, find the line

5. Uncomment it (Remove #) and make it look like PermitRootLogin no

6. Save the file.

Now, no one will be able to login to root with out first logging in as ‘test’ and ’su -’ to root.

configure the sshd server to disable password login and enable keys.

First - We need to generate a pair of keys.

and then

Editing the config file /etc/ssh/sshd_config

login to remote server using the password to configure the sshd server to disable password login and enable keys.

And then edit…

# Uncomment ‘PasswordAuthentication no’ line only after making sure that the key authentication is working properly.
# Disabling root login is recommended anyway, though not useful after disabling login password.
# Allow forwarding is not recommended for multi user hosting envirnoment where keys could be exposed. Anyway, we should only allow it if we intend to forward keys from server to server but keep all our keys on the local machine.

SSH tunnel for Mysql

This will open a tunnel, listening on localhost:3308 and forwarding everything to yourdomain.com:3306

And then

Use a Non-Standard SSH Port

By default, ssh listens for incoming connections on port 22. For a hacker to determine ssh is running on your machine, he’ll most likely scan port 22 to determine this. An effective method is to run ssh on a non-standard port. Any unused port will do, although one above 1024 is preferable. Many people choose 2222 as an alternative port (as it’s easy to remember), just as 8080 is often known as the alternative HTTP port. For this very reason, it’s probably not the best choice, as any hacker scanning port 22 will likely also be scanning port 2222 just for good measure. It’s better to pick some random high port that’s not used for any known services. To make the change, add a line like this to your /etc/ssh/sshd_config file:

and restart the sshd service. Don’t forget to then make any necessary changes to port forwarding in your router and any applicable firewall rules.

Because ssh is no longer listening for connections on the standard port, you will need to tell your client what port to connect on. Using the ssh client from the command line, we may specify the port using the -p switch: