SSH security.
 

A subject that's been done to death, I know but I'm after opinions as to whether I'm working along the right lines...

I'd like to forward (NAT router) port 22 from the internet to my PCLOS (Firewall configured.) box which has sshd running and fail2ban installed, default config. My users' passwords probably aren't the most robust ever... root is reasonably secure, I think. My main Mepis (Firewall disabled.) box also has sshd running but as yet no fail2ban.

So, basically all that would be between my whole network and anyone snooping for open port 22 is fail2ban on my PCLOS box. I appreciate that there is a lot more hardening that I could do but for practical purposes is that enough?

If you haven't yet, I would just straight up disable root ssh login. If you need to admin the box, sudo/su from (which use has privileges? noone external knows!)

There's some misc security techniques that are pretty useful on www.RussThompson.me

Also shows how to disable direct root login as well

http://www.linuxquestions.org/questi...tempts-340366/

at the top of this forum

Thanks all! Root login on my Mepis box was set to without-password which I guess is reasonably secure. I've changed it to no. Will check my PCLOS box tomorrow.

For an external connection, it is more secure to have ssh listen on some port other than 22 as well. That way you need to know the port to connect to, and a user that will work. I only allow one, otherwise useless, user to connect from an external IP, and that user has to su to root to do anything useful.

Yea, maybe -- but then you have to specify what port you want all the time, which is like having an ip address to remember. not worth the hassle imho

Not as hard as an IP, and avoids the ssh port scanners.

and you can set it in ~/.ssh/config

Just checked my PCLinuxOS machine and PermitRootLogin no is default. So, for anyone else's info both Mepis & PCLOS don't permit ssh root login with password. In my case, my machines now do not alow it at all.

The changing port thing would fix the ssh scanners good and proper. I might see if I can set my router up to forward port <random> to port 22 so I retain the standard port on my LAN.

That should be easy to do, and a reasonable solution. An attacker can still scan the ports on the router and discover the ssh service. But it will eliminate almost all script kiddie or bot attacks. This will remove a lot of the noise in the logs, allowing more serious attempts to stand out.

By this do you mean you used public key authentication, or do you mean the root account didn't have a password?
The former is pretty good, but if you don't need a root ssh login for automated cron jobs, then don't have root
logins. You can log in under your own account and use sudo or su to root.

You can also forward one port on the router to PCLOS port 22 and another to MEPIS port 22.

It's called security by obscurity and hiding a port does nothing to lessen being vulnerable.

I wouldn't say moving the default listening port is secure...it isn't. A simple scan should show what's open, no matter where you move it. The only good thing about actually moving it is that it'll cut down on the log size, as script kiddies and such just tend to scan against the default port.

Yup, to log in as root would require keys to be set up. I never bothered. Just logged in as user & su'd.

Will have a play about with varying port numbers to see what happens with regard to the number of probes.

When moving to a non-default port, I think it's a good idea to run something like psad to, among other things, lessen the ease by which your port can be spotted. Nothing is a replacement for making sure the actual SSH daemon is as tight as possible, but as long as you don't develop a false sense of security, using a non-default port can have nice benefits (for example, the noise reduction mentioned by jschiwal, which can encourage the administrator to take alerts more seriously).

This is why I use aliases. The aliases are usually named after the hostname of the machine, so all I have to do is type "saturn" and the ssh client goes to that server on the listening port.