LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 10-05-2010, 11:36 PM   #1
Laodiceans
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 188

Rep: Reputation: 18
SSH to the world (outside LAN)


Hi

I use ssh in my LAN with authorized_keys in my .ssh so I have not to put passwords all the time.
But now I can use ssh outside LAN. How do it in the most secure way?
I have to open a port in my router for it. Any port? Should I continue to use the authorized_keys? What more?
Any help is welcome.
 
Old 10-06-2010, 12:30 AM   #2
Ramurd
Member
 
Registered: Mar 2009
Location: Rotterdam, the Netherlands
Distribution: Slackwarelinux
Posts: 555

Rep: Reputation: 75
Question back:

Do you mean to connect from the outside world to your lan?

In that case: presuming you have a firewall with all the ports closed, you will have to have port 22 (by default) opened. Given my own logs, opening this up directly will cause hackers to try to log in. My up-to-now working solution for this is a phenomenon called "port knocking"; using the "recent" rule in iptables you connect first to a secret port number only you know (I call this port "a")

set it up like this: port a-1 : close port 22, port a: open port 22, port a+1: close port 22

This prevents furtive portscanners to open up port 22 :-)
What you do then is: telnet to port a, which opens up port 22 for your pc for a short while; then you ssh to your computer. For other people port 22 will still be closed.
If you're behind a NATted network, you will have port 22 open for the whole network (I think) for the duration setup by iptables (normally 1 minute). After closing port 22, any live connection will remain, but no new connections will be possible.

If needed, I can provide an example, but even better for you is to read up on iptables with the "recent" rules ;-) I will leave that as an exercise for you for now.

Then regarding passwords/secure keys:
passwords are already fairly secure, but more secure is authorized keys of course. For this latter, you must know who is going to connect and they will need the public key of the user(s) that are to be allowed to log in remotely. Naturally, root must be prevented from logging in over ssh; For root commands to work, you better setup sudo, or plain use "su -" and ask for a password then.

This should give you a secure, working setup; I think routers normally automatically direct the traffic to your computer; If not so, you will have to setup your router to forward the traffic to your computer.
 
Old 10-06-2010, 02:04 AM   #3
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,298

Rep: Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722
If you are going to open your ssh server to the world, I would recommend running it on a non-standard port (I have mine running on an unassigned port, according to this list, and I haven't had a single attempted entry). You could follow Ramurd's advice if you insist on running it on the standard port 22, but it is easier to run on a non-standard port in my opinion (otherwise you would have to forward two ports to your computer, and though a good iptables firewall would reject any malicious attempts on your ssh server, you are still opening up your computer to increased attacks, regardless of whether or not they are successful). Then set up your router to forward connections from that port to your computer. I have my /etc/hosts.deny set to "ALL : ALL" and I just allow my local LAN to access services from my server, but to allow access to sshd from the outside world, regardless of the port you have set in /etc/ssh/sshd_config, the following in /etc/hosts.allow does nicely:
Code:
sshd : ALL : allow
Of course that only applies if you have a similar setup, in which you deny everyone and accept only those on a whitelist.

Definitely change "PermitRootLogin" to "no" in /etc/ssh/sshd_config, and if you have a good iptables firewall setup, be sure to add a rule allowing connections to your non-standard ssh port. I have the following:
Code:
$IPT -A tcp_inbound -p TCP --destination-port # -j ACCEPT
where # is the port number you have assigned to sshd (and $IPT is a variable pointing to /usr/sbin/iptables...).

Perhaps a bit elaborate but I find this setup allows access from anywhere while still being relatively secure. Perhaps if you run a professional server a non-standard port for ssh is not acceptable, but for home use this prevents 99% (or more) of the attacks on your server.

If you're paranoid you can also explicitly disabled passworded logins and force the use of authorized keys. If you're really paranoid you can setup a more complex iptables firewall that blocks anyone who makes three unsuccessful ssh login attempts (or something similar).

Last edited by T3slider; 10-06-2010 at 02:06 AM.
 
Old 02-02-2011, 05:10 PM   #4
Laodiceans
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 188

Original Poster
Rep: Reputation: 18
This are my settings:

In /etc/ssh/sshd_config I changed this:

Code:
Port 22
Port 465
Protocol 2
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
In hosts.allow
Code:
sshd: ALL
In hosts.deny
Code:
ALL:ALL
I still have DenyHosts installed but it seams not block anything with this settings . Maybe is not need it...
Are this good settings?

PS: I use ssh-keygen keys to access to the server.
 
Old 02-02-2011, 07:05 PM   #5
dive
Senior Member
 
Registered: Aug 2003
Location: UK
Distribution: Slackware
Posts: 3,211

Rep: Reputation: 293Reputation: 293Reputation: 293
I would choose a much higher port. Certainly higher than 0-1024 which are the main service ports that will get scanned. I usually go for something 20000+
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Fedora 10/unable to ssh out from box to remote host (SSH within LAN ok) huskeypm Linux - Networking 3 04-14-2009 08:37 PM
SSH attacks seem to come from certain regions of the world SlowCoder Linux - Security 4 03-19-2009 10:41 AM
Port forward from outside world to internal LAN-facing virtualized Win2k3 Server lazarus89 Linux - Networking 3 07-07-2008 12:53 AM
Linux Bricktop-->XP box-->LAN-->Proxy-->The World - but how? MooUK Linux - Networking 2 10-09-2005 04:51 PM
ftp from LAN to big wide world acid_kewpie Linux - Networking 2 11-14-2001 05:05 PM


All times are GMT -5. The time now is 09:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration