OpenSSH security question

Hey guys,

I have been playing with OpenSSH on all my Linux devices on my home network, I have been transferring files back and forth between my laptop and desktop and I have been updating my fathers laptop without him really knowing and it has been pretty smooth. It has made everything really easy to manage.

I have been thinking about port forwarding my desktop so that I could SSH in from school. Would this be secure? I was going to use SSH keys with a password in order to do this would it be to big of an issue?

The use case for this is so if i forget a paper then no problem just get the file form my desktop in a few seconds. The only things I have really done with OpenSSH are SFTP and SSH is there anything more I can do with SSH I do not know of I haven't researched it outside of playing with it and learning how to set up SSH keys.

1 Like

You should be fine. Remote access over the internet is what ssh is there for. But:

  • Keep the host up to date
  • Make sure you disable root login ("PermitRootLogin" in sshd.conf)
  • Disable password login. There is no point in using keys when attackers can still access the machine via password.
  • Some people prefer to move sshd to a different port so that automated bots have a harder time finding it. Whether this improves security is questionable at best, but it will keep your log files from being cluttered.

Note that you'll need a static IP or dyndns to do this.

That is what I was thinking, just still learning about security and wanted a second opinion on it.

This is useful did not think about disabling root login.

Have this set up already thanks for the reminder.

additionally install fail2ban.
this will write a iptables rule to block an ip after 3 failed attempts for a period of time (15 minutes i think by default). it watches the logs and can guard more than just ssh (apache, ftp etc)

It should be secure so long as you take precautions like those already mentioned. But if you're really paranoid about it you could set up a vpn and use that to access your local network instead. That way you're only opening up the VPN port to the internet and you don't really have to worry about bots and script kiddies and the like.

1 Like

Make sure to grab your desktop's ssh fingerprint and verify it whenever you ssh in from the outside. Else you have no idea whether or not you're being man-in-the-middle'd.

ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub

Also make sure you have a strong username. Once script kiddies find your IP and port, they'll run down an alphabetical list of common first names and try to log in. So if your name is Chris or something, and you use that as your username, that's a chunk of the battle lost right there.

Use an aggressive login grace period. I think on many distributions it's like 120 seconds. For internet facing machines, I crank it down to 10 seconds, which is about 8 seconds more than I need.

If you don't think you'll use sftp/scp on the host, consider disabling it, or at least enabling logging. Else if someone nabs your username/password somehow, they can download all of your carefully collected, useless junk without you knowing (in any kind of convenient fashion) that they're even logged on.

Subsystem sftp /usr/lib/openssh/sftp-server -l INFO

You can specify what ciphers are valid, which can be nice if ever you run into some jackass ssh client that tries arcfour first, which I think is still available by default in some distributions.

Ciphers aes128-cbc,aes192-cbc,aes256-cbc

Root login can be restricted to key only, but seriously if you're logging in as root, just give me your computer now. :slight_smile: But seriously, prohibit-password will allow root to login via ssh keys. I mainly mention it because it can be super handy for internal use. If you have to allow root login from the outside world, ssh keys are the way to do it. If you don't have to allow root login, well, don't. You can always ssh in, change this setting, and restart the service should you need it.

#PermitRootLogin prohibit-password
PermitRootLogin no

And finally...Awww Dexter_Kane beat me to it. VPNs are nice. Personally I have both VPN and ssh available to the outside world. Sometimes admins restrict one but not the other, so having 2 options to get out of a network and into mine is nice.

Will do.

I will look into this as well it will be the first time setting up a VPN

Alright I was wondering how to deal with that thanks.

Will do I was thinking about using keepass for both the user name and password and make it like 128ish characters

Will do will set it to something really short since I am going to be pasting the password and user name from keepass.

Will do I am not sure if i will yet I may disable it for now if i ever need to tun it back on.

That I will have to learn more about.

Alright, I was going to use SSH keys for everything. The only computer I really want to access my desktop and server are my laptop and each other if that makes since.

Need to look into setting up VPNs. I need to learn more about how to set it up.

There's also an iptables only way to limit connection attempts, as an alternative to fail2ban

/usr/sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
/usr/sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 4 -j DROP

The username doesn't matter. If you are concerned about your login being unsafe just increase the size of the key. For the attacker to be successful they'd have to crack a certain number of bits. Doesn't matter whether those bits come from the username or the password/key.

You are only making your life harder with this. Appending those 128 characters to the password/key is just as safe if not safer.