LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-21-2005, 09:19 AM   #1
hoover93
Member
 
Registered: Aug 2003
Distribution: RedHat 9, SuSE 9.2
Posts: 49

Rep: Reputation: 15
ssh risk


is ssh reasonably secure for remote administration? i need a way to perform maintenance on a server at a branch office without always having to travel on-site for ordinary chores like adding a new user account.

if i were to open the port in our hardware firewall to allow ssh connection to a specific host would i be inviting the world to hack my file server?

i'm not a security guru, but from what i've read, ssh seems to be a preferred method for remote connections. ssh does not allow login as root, correct? the traffic is encrypted, correct?

the beauty of linux is that i could perform nearly any admin tasks from with command prompt and a text editor. but, i'd like to know that allowing ssh is at least "reasonably" secure.

i don't want to be lax about security, but i don't want to be overly paranoid either.

thanks for the advice.
 
Old 10-21-2005, 09:28 AM   #2
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
SSH is secure enough for remote access. It does encrypt traffic and can be configure to exclude direct root access. You can minimize the risk of opening a hole in your firewall by restricting access to just the endpoints, ie the server that you will admin and the client that you will connect from.
 
Old 10-21-2005, 09:52 AM   #3
hoover93
Member
 
Registered: Aug 2003
Distribution: RedHat 9, SuSE 9.2
Posts: 49

Original Poster
Rep: Reputation: 15
the client that i'll connect from will change periodically as our isp uses dhcp. can i restrict ssh logins to one account?
 
Old 10-21-2005, 11:06 AM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,790
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Yes. You can add an AllowUsers directive to your sshd_config file and then only the users listed can get access. You can also further lock it down by not allowing usernames or passwords, but use public key authentication instead.
 
Old 10-21-2005, 05:59 PM   #5
Vgui
Member
 
Registered: Apr 2005
Location: Canada
Distribution: Slackware
Posts: 496

Rep: Reputation: 31
Another point I have seen brought up before is that if you move ssh from port 22, the automated and canned script kiddie attacks will be cut down by quite a bit.
 
Old 10-21-2005, 07:18 PM   #6
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,401

Rep: Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119
What I would most strongly recommend is what I have recommended in the past... use digital certificates with SSH. Don't rely upon username/password authentication.

Only users who can present a valid certificate will be allowed to go further. It will not matter if they know a password or can guess it; their passport is rejected at the outer gate. This will truly stop the "script kiddies" who, otherwise, will come to call and will begin to hammer against your username/password file around the clock with the persistence that only a computer can create.

VPN (virtual private networking) is very handy as well. It wraps everything in an encryption packet, and once again it is best used with digital certificates. (i.e. Don't use Pre-Shared Keys.)

The overwhelming advantage of digital certificates, aside from the fact that they cannot be forged, is that they are individually issued and can be individually revoked. If a computer is lost or stolen, its access can be selectively revoked.

Without certificates, unfortunately, "SSH is simply another shell." It gives anyone-in-the-universe the opportunity to try a username-plus-password against your system. Sure, it encrypts the traffic, but it allows anyone to try to log in. But with certificates, only the bearers of an un-forgeable (and unrevoked) credential will ever be given the opportunity to utter magic words.

Last edited by sundialsvcs; 10-21-2005 at 08:48 PM.
 
Old 10-21-2005, 08:08 PM   #7
Vgui
Member
 
Registered: Apr 2005
Location: Canada
Distribution: Slackware
Posts: 496

Rep: Reputation: 31
That all sounds very enticing, and I wouldn't mind trying it out myself. Got a good HOWTO on the subject?
 
Old 10-21-2005, 08:45 PM   #8
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,401

Rep: Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119
A good source of howtos is here. Look at "local copies" such as this one. (However, I would encourage you to peruse the whole site.)

I really want to emphasize... this stuff is not hard to do. And it makes your SSH connection "really secure" for the first time. Script kiddies might be able to detect that you have an open SSH port into your system, but they can't begin to touch it.

Last edited by sundialsvcs; 10-21-2005 at 08:47 PM.
 
Old 10-21-2005, 09:03 PM   #9
Vgui
Member
 
Registered: Apr 2005
Location: Canada
Distribution: Slackware
Posts: 496

Rep: Reputation: 31
Great, I'll be reading those over and hopefully being able to sleep at night now with port 22 open.
Thanks a lot for the help / ideas, good stuff to know!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Risk computerdude Linux - Security 3 08-31-2005 02:25 PM
is this a security risk? shanenin Linux - Security 8 11-02-2003 04:27 PM
Will a RISK Processor Run on Linux, PA-RISK 8500 at 400MHz CPU IBNETMAN79 Linux - General 2 03-08-2002 07:09 PM
Will a RISK Processor Run Linux, PA-RISK 8500 CPU IBNETMAN79 Linux - Newbie 1 03-08-2002 06:49 PM
Will A RISK CPU Run Linux, HP PA-RISK 8500 CPU IBNETMAN79 General 0 03-08-2002 06:39 PM


All times are GMT -5. The time now is 03:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration