Opening the SSH port: security concerns

Khannie

So...now I have my ubuntu box running at home, I was thinking that I could kick off useful tasks while I'm at work. The box is behind a NAT router, so it's relatively secure, but I want to be able to ssh into it (or possibly use FreeNX (which uses the ssh port)).

So if I open up port 22 (or have some other external port forward to 22 on the box) and my password is secure, am I asking for it?

What measures should I take to make the system more secure?

oscarBravo

SSH is pretty secure, but keep it up-to-date. Don't have any common user names (john, mike, admin etc) on your box.

Read up on snort too.

ronanp

You'll be grand, as the previous poster said keep openssh up to date, have a password policy, and if its just from work you'll be using it, you should definately definately use tcp wrappers to control access.

liamo

You might also want to consider using a non-standard port. Not that I'm advocating "Security by Obscurity", but there was a brute-force ssh worm doing the rounds a while back that was filling up my logs with failed attempts. I never had any concerns about my security but I was concerned that the amount of clutter from all the failed attempts might make me miss an important log entry that I would otherwise have spotted. I moved ssh to port 24 and that was the end of that little problem.

Regards,

Liam

dahamsta

I've always thought using a non-standard port is overkill - a port scanner will find it soon enough - but I guess every little helps. Anyway OP, make sure root can't login to the box directly - in fact lock logins down to selected users, the less the better - and use pam's wheel module for su. Google "pam wheel su" if you're not following me.

adam

kiffer

Ken Shabby wrote:

I've always thought using a non-standard port is overkill - a port scanner will find it soon enough - but I guess every little helps.

Hum ... using a non-standard port is over kill eh?
I've got port 22 closed, and use some portknocking software to open it back up from out side when I need it, that way I dont get any log in attempts and I'm pretty much covered should some ssh exploit crop up suddenly.

Khannie

Thanks lads.

My current setup is basically the ubuntu default. No root password, sudo for everything. I'll stick it on a different port and bump up my password a bit.

My login name is my first name, which is a common name. Once my password is secure, this isn't really an issue, right?

Liamo: Which log file in particular records failed login attempts?

Last question: Is there an easy way to restrict external login by IP range? I have shell access to another machine with a static IP, so I could go through that.

ronanp

Liamo: Which log file in particular records failed login attempts?

You should see login failures in /var/log/messages

Last question: Is there an easy way to restrict external login by IP range? I have shell access to another machine with a static IP, so I could go through that.

As I said above, use tcp wrappers with sshd. It allows you to specify an IP address or range of IP addresses which are allowed to login via ssh in your /etc/hosts.allow file. Have a look at "man hosts.allow"

Khannie

ronanp wrote:

As I said above, use tcp wrappers with sshd. It allows you to specify an IP address or range of IP addresses which are allowed to login via ssh in your /etc/hosts.allow file. Have a look at "man hosts.allow"

Grand. Thanks. Didn't equate what you said earlier with ip specific restriction.

zilog_jones

lol, this reminded me to check up on my firewall settings: I just realised port 22 was being forwarded from my pc to the external IP address, and the password on my machine is "a"! Must have been like that since about march...

Syth

It is possible to only restrict ssh to only certain usernames and IPs. You can whitelist IPs or blacklist IPs. If you're using Ubuntu then your normal user account is basically your root account. If you're only going you being logging in from a few other hosts, you can disable passwords and force the use of ssh keys.

Though I normally hate security through obscurity, using a different port so that you log files are much cleaner is a good reason. Though you really should look into automatic log file parsers. That should help.

oscarBravo

Syth wrote:

If you're only going you being logging in from a few other hosts, you can disable passwords and force the use of ssh keys.

You could even do that if you could be logging in from anywhere, as long as you always carry PuTTY and your private key around with you on a USB disk.

Khannie

I ended up restricting it to a single static IP through the hosts.allow. No bothers so far. Love accessing my home machine from work.

WizZard

Disallow SSH root access at least(or does ubuntu do this by default?).

Look into Swatch, handy for blocking SSH dictionary attacks

Khannie

It doesn't allow a root login by default, though the default user has full sudo privs. I have it set to allow (password authenticated) login based on originating IP. Works a charm. Love being able to kick off video conversions while at work.