SSH to the world (outside LAN)

Laodiceans · 10-05-2010, 10:36 PM

Hi

I use ssh in my LAN with authorized_keys in my .ssh so I have not to put passwords all the time.
But now I can use ssh outside LAN. How do it in the most secure way?
I have to open a port in my router for it. Any port? Should I continue to use the authorized_keys? What more?
Any help is welcome.

Ramurd · 10-05-2010, 11:30 PM

Question back:

Do you mean to connect from the outside world to your lan?

In that case: presuming you have a firewall with all the ports closed, you will have to have port 22 (by default) opened. Given my own logs, opening this up directly will cause hackers to try to log in. My up-to-now working solution for this is a phenomenon called "port knocking"; using the "recent" rule in iptables you connect first to a secret port number only you know (I call this port "a")

set it up like this: port a-1 : close port 22, port a: open port 22, port a+1: close port 22

This prevents furtive portscanners to open up port 22 :-)
What you do then is: telnet to port a, which opens up port 22 for your pc for a short while; then you ssh to your computer. For other people port 22 will still be closed.
If you're behind a NATted network, you will have port 22 open for the whole network (I think) for the duration setup by iptables (normally 1 minute). After closing port 22, any live connection will remain, but no new connections will be possible.

If needed, I can provide an example, but even better for you is to read up on iptables with the "recent" rules ;-) I will leave that as an exercise for you for now.

Then regarding passwords/secure keys:
passwords are already fairly secure, but more secure is authorized keys of course. For this latter, you must know who is going to connect and they will need the public key of the user(s) that are to be allowed to log in remotely. Naturally, root must be prevented from logging in over ssh; For root commands to work, you better setup sudo, or plain use "su -" and ask for a password then.

This should give you a secure, working setup; I think routers normally automatically direct the traffic to your computer; If not so, you will have to setup your router to forward the traffic to your computer.

T3slider · 10-06-2010, 01:04 AM

If you are going to open your ssh server to the world, I would recommend running it on a non-standard port (I have mine running on an unassigned port, according to this list, and I haven't had a single attempted entry). You could follow Ramurd's advice if you insist on running it on the standard port 22, but it is easier to run on a non-standard port in my opinion (otherwise you would have to forward two ports to your computer, and though a good iptables firewall would reject any malicious attempts on your ssh server, you are still opening up your computer to increased attacks, regardless of whether or not they are successful). Then set up your router to forward connections from that port to your computer. I have my /etc/hosts.deny set to "ALL : ALL" and I just allow my local LAN to access services from my server, but to allow access to sshd from the outside world, regardless of the port you have set in /etc/ssh/sshd_config, the following in /etc/hosts.allow does nicely:

Code:

sshd : ALL : allow

Of course that only applies if you have a similar setup, in which you deny everyone and accept only those on a whitelist.

Definitely change "PermitRootLogin" to "no" in /etc/ssh/sshd_config, and if you have a good iptables firewall setup, be sure to add a rule allowing connections to your non-standard ssh port. I have the following:

Code:

$IPT -A tcp_inbound -p TCP --destination-port # -j ACCEPT

where # is the port number you have assigned to sshd (and $IPT is a variable pointing to /usr/sbin/iptables...).

Perhaps a bit elaborate but I find this setup allows access from anywhere while still being relatively secure. Perhaps if you run a professional server a non-standard port for ssh is not acceptable, but for home use this prevents 99% (or more) of the attacks on your server.

If you're paranoid you can also explicitly disabled passworded logins and force the use of authorized keys. If you're really paranoid you can setup a more complex iptables firewall that blocks anyone who makes three unsuccessful ssh login attempts (or something similar).

Laodiceans · 02-02-2011, 04:10 PM

This are my settings:

In /etc/ssh/sshd_config I changed this:

Code:

Port 22
Port 465
Protocol 2
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no

In hosts.allow

Code:

sshd: ALL

In hosts.deny

Code:

ALL:ALL

I still have DenyHosts installed but it seams not block anything with this settings

. Maybe is not need it...
Are this good settings?

PS: I use ssh-keygen keys to access to the server.

dive · 02-02-2011, 06:05 PM

I would choose a much higher port. Certainly higher than 0-1024 which are the main service ports that will get scanned. I usually go for something 20000+