Configuring the SSH Server
You must configure an SSH server before you can use HSTS. To increase the security, configure transfer-server authorization to use a host-key fingerprint.
SSH configuration
Configure SSH for use with HSTS.
/etc/ssh/sshd_config
Changing the TCP port number
SSH servers listen for incoming connections on TCP Port 22 by default. As such, Port 22 is subject to numerous unauthorized login attempts by hackers who attempt to access unsecured servers. An effective deterrent is to close Port 22 and run the service on a seemingly random port in the range 1024 - 65535. To standardize the port for use in Aspera transfers, set the TCP port to 33001 and close TCP/22.
Prerequisites:
- Before changing the default port for SSH connections, verify with your network administrators that TCP/33001 is open.
- Before closing port TCP/22, notify the users of the change.
Notifying users - How to specify TCP/33001
Aspera recognizes that disabling the default SSH connection port (TCP/22) might affect your clients. When you change the port, ensure that you advise your users on how to configure the new port number, from the GUI (if available and used) and from the command line.
- GUI: Click Connections and select the entry for the server whose ports you are changing. On the Connection tab, click Show Advanced Settings and in the SSH Port (TCP) field enter 33001.
- Command line: Clients running transfers from the command line can specify the port by
using the ascp
-P 33001
option.
Changing to TCP/33001
The following steps require root privileges.
Configuring transfer server authentication with a host-key fingerprint
Configure the transfer-server authorization to use a host key fingerprint to prevent server impersonation and man-in-the-middle (MITM) attacks. Aspera clients can verify the server's authenticity before starting a transfer by comparing the trusted SSH host key fingerprint, which is obtained directly from the server admin or through an Aspera client web application, with the host key fingerprint that is returned when the connection is made.