I'd like to be able to SSH to my Ubuntu 10.04 office PC from the outside. I am thus thinking to start up an SSH daemon on the PC. What are the security issues, possible glitches, specific configuration settings, etc. I should be aware of?
In case it matters: this is essentially for my own use only, I don't think there will be other people using it; it's an Ubuntu 10.04 PC in a mostly Windows 7/Vista/XP environment.
Answer
The biggest concern would be people logging in as the computer's administrator over SSH. This can be done by brute force if you have an easy to guess password.
There are several safety measures that you can take, below are some of the ones I always take when setting up an SSH server and some extra.
Use a strong password, consisting of at least (say) 10 upper- and lowercase letters, numbers and other characters.
Jail users to their home directory. Jailed users will not be able to access/edit files that are outside their home directory. So your user will not be able to access/edit key system files. Lots of tutorials can be found online on how to jail a user. Most of them use JailKit. An example of such a tutorial can be found here. Alternatively, you can also use the OpenSSH-server's native
ChrootDirectorydirective. An example of a tutorial on this can be found here.Install Fail2Ban. Fail2Ban is a program that checks the authentication logs for wrong entries. When a certain limit is reached, it adds a firewall block for that certain IP for a preset amount of time. There are also several online tutorials found online about how to set up Fail2Ban with SSH, an example would be this one. The Fail2Ban homepage holds some nice and complete HOWTOs as well.
Disable root login through SSH. This is the user that has access to pretty much every file on your system, disabling its shell login is therefore recommended. In the latest versions of Ubuntu, the root user is automatically disabled but it doesn't hurt to disable its SSH access anyway. This is done by editing the file
/etc/ssh/sshd_config.✝ Look for the following line and make sure there is no # in front of it.#PermitRootLogin noUse a non-standard port (E.g. not 22) This is either done through port forwarding in your router (E.g. 16121 -> 22 instead of 22 -> 22) or by making the SSH daemon listen on a different port. This will make your SSH service less easily detectable to malicious users. This is done by editing the file
/etc/ssh/sshd_config.✝ Look for the following line and change 22 to whatever port you want. Don't forget to forward the correct port in your router afterwards.Port 22Do not use passwords to log in. Besides passwords, SSH also allows login by the use of private keys. This means a key is stored on your computer on which you access the SSH of the SSH machine. When a connection is attempted, the SSH client uses the key to login to the server instead of through password authentication. Authentication keys are a lot stronger cryptographically than passwords are and therefore not so easy to crack. There are also several online tutorials found online about how to set up Key based authentication with SSH, an example would be this one. (If you SSH from windows with PuTTY, check this link for a PuTTY howto.) After you've set up the key-based authentication, you can disable the password authentication by editing the file
/etc/ssh/sshd_config.✝ Look for the following line and make sure there is no # in front of it.#PasswordAuthentication noOptionally, as @Linker3000 mentioned in his comment, you could set up a VPN tunnel to the PC you want to access through SSH and then disallow non-local network access on the SSH server. That way, no external device without a VPN connection will be able to access your SSH server. This can be done by denying ALL hosts and then allowing only the local network IPs to login. This is done by editing
/etc/hosts.denyand add the following:sshd: ALLand to
/etc/hosts.allowadd the following:sshd: 192.168.1.*where the IP matches the one of your local network.
*is a wildcard, so all IP addresses starting with192.168.1.will be accepted. If this doesn't work, your distribution might usesshinstead ofsshd. In that case, you should tryssh: 192.168.1.*andssh: ALLinstead.You could only allow specific hosts, do the same with the
/etc/hosts.allowand/etc/hosts.denyas described in 6, but in/etc/hosts.allowadd the following line and every host to allow separated by spaces:sshd: {IP OF HOST TO ALLOW 1} {IP OF HOST TO ALLOW 2} {IP OF HOST TO ALLOW 3} {ETC.}Allow only specific users to access your SSH server. This is done by editing the file
/etc/ssh/sshd_config.✝ Look for the following line and make sure there is no # in front of it. If it doesn't exist, create it. For example, if you want to allow john, tom and mary only, add/edit this line:AllowUsers john tom maryYou could also deny specific users for example, if you want to deny access to john, tom and mary, add/edit this line:
DenyUsers john tom maryOnly allow protocol SSH2 for incoming connections. There are two versions of the SSH protocol. SSH1 is subject to security issues so using SSH 2 is recommended. This can be forced by editing the file
/etc/ssh/sshd_config.✝ Look for the following line and make sure there is no # in front of it. If it doesn't exist, create it.Protocol 2,1remove the ,1 so the line will be
Protocol 2Don't allow users to login that have no password set. This can be forced by editing the file
/etc/ssh/sshd_config.✝ Look for the following line and make sure there is no # in front of it. If it doesn't exist, create it.PermitEmptyPasswords noAnd although simple and perhaps needless to say but proven crucial in multiple cases, keep your software up-to-date. Regularly update your installed packages/software.
✝ = after having edited the SSH config file, don't forget to restart the daemon to apply changes. Restart the daemon by executing:
sudo /etc/init.d/ssh restart
or
sudo /etc/init.d/sshd restart
depending on which distribution of Linux you are using.
No comments:
Post a Comment