LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-09-2014, 11:49 AM   #1
fritzxy
LQ Newbie
 
Registered: Jul 2014
Posts: 6

Rep: Reputation: Disabled
Advise on secure remote ssh accessible 24/7 server in home network


I am considering to set up a Raspberry Pi or similar energy efficient device to serve as a small ssh server that can be accessed over the internet.
The idea is that my NAS, desktop and laptop can be turned off when I am not at home or when they are not required to operate. When I do need to access files or services on my private LAN from the outside I can easily ssh into the Raspberry Pi. It should be possible to send wake-on-lan packages from the shell on the Raspberry Pi to the machine that needs to be powered on. Then I could use the raspberry as a hop to access the freshly powered on machine.

This idea is born out of the desire to reduce my electricity bill and improve my network security as offline machines are less prone to be attacked.
I do however like to have the ability to log in my private network when needed. That is where the Raspberry Pi comes in. This could run 24/7 without wasting electricity.

Now I would like some advice. What would be the best approach to realize this idea?

All ports are closed on my current private network. From the outside it appears to be stealth.

Scenario 1:
  • Place the Raspberry Pi behind the router
  • Setup SSH
  • Forward port 22 to the Raspberry Pi

I create a hole in my firewall by forwarding port 22 to the Raspberry Pi. Judging by my logs there are a lot of scans and ssh attacks on our network. I could use fail2ban, but I do not know if that is enough.

Scenario 2
  • Place the Raspberry Pi behind the router
  • Setup SSH
  • Forward non-standard SSH port to the Raspberry Pi

Some of the attacks can maybe tricked by using a different port than the standard port 22. The hole in the firewall however remains only on an different port.
It is possible to disable password log ins and use certificates instead. This should decrease the risk even more if I understood correctly?

Scenario 3
  • Place the Raspberry Pi behind the router
  • Setup SSH
  • Forward port to the Raspberry Pi
  • Disable password logins and use certificates instead

There is however also an alternative that keeps my home network stealth to the outside world.
By using a reverse SSH tunnel to an outside host I can keep all the ports on my local network closed. I can access the Raspberry Pi on my private network by SSH-ing to the remote host which will redirect me back to the Raspberry Pi in my home network.

Scenario 4
  • Place the Raspberry Pi behind the router
  • Setup SSH
  • Use reverse SSH tunneling with external shell host

What would be the best approach? Scenario 4 is the only scenario that does not require me to open a port on my home network. The problem however is redirected to the external host so I am not sure if it really is an improvement in security?

All suggestions are appreciated!

Last edited by fritzxy; 07-09-2014 at 02:22 PM.
 
Old 07-09-2014, 12:12 PM   #2
kentyler
Member
 
Registered: Dec 2008
Location: Newark Ohio
Distribution: Fedora Core
Posts: 270

Rep: Reputation: 38
The concept of secure network requires 2 network devices to provide physical separation. So I'd suggest that having an open port above 4000 on the firewall that forwards ssh packets to the Rasberry Pi which is behind the router would be the most secure, from there you can tunnel to other devices. For this to be secure the router must not allow any external connections to it's configuration GUI or cmdline.
 
Old 07-09-2014, 02:36 PM   #3
fritzxy
LQ Newbie
 
Registered: Jul 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Remote access to my router has been disabled. It can only be configured from the local network.

So what you are saying is that I should go with scenario 3?
Open up a port in the router and forward it to the Raspberry Pi.

Why is this option better then scenario 4 with the reverse SSH tunneling? In this scenario there is no need for opening ports on my firewall.
Scenario 4 is quite similar to the setup in the attached illustration, where the 'Office PC' would be my Raspberry Pi and the 'Home PC' would be my laptop on a foreign network trying to connect to my home network over the internet.
  • Raspberry Pi behind on the local network behind a firewall.
  • The Raspberry Pi creates a reversed ssh-tunnel on a external host on the internet.
  • Because there are no open ports in my firewall it is impossible to connect to the Raspberry Pi directly. (or any other device on my home network for that matter)
  • The Raspberry Pi is accessible by connecting to the remote host on the internet, which redirects me trough the reversed tunnel to the Raspberry Pi behind my firewall. (no open ports in the firewall, but lifting back on the tunnel initiated by the Raspberry Pi itself)
I thought this would be a good idea, but you recommend to stick to scenario 4 and open up a port in the firewall above 4000 and forward this to allow direct access to the Raspberry Pi.
Could you please explain why this is a better solution? Thank you in advance!
Attached Thumbnails
Click image for larger version

Name:	reverese-ssh3.png
Views:	18
Size:	15.0 KB
ID:	15879  

Last edited by fritzxy; 07-09-2014 at 02:40 PM.
 
Old 07-09-2014, 02:53 PM   #4
kentyler
Member
 
Registered: Dec 2008
Location: Newark Ohio
Distribution: Fedora Core
Posts: 270

Rep: Reputation: 38
An open ssh tunnel connected to a host on the internet is not so secure this host could be exploited locally or remotely and allow anyone back down the pipe to your network. The chance of someone hacking into port 4000 or a random port above 4000 with a ssh exploit is only likely if you are a bank or have a network that has something they really want bad. Unlikely.

99.9% of the exploits out there are automated and focused on specific versions of a daemon listening on the specific port it's intended to listen on. Or software said daemon provides. IE: Apache+Wordpress.
 
Old 07-09-2014, 05:48 PM   #5
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Rep: Reputation: 265Reputation: 265Reputation: 265
I would suggest setup 3 (on a port above 4000). It's fairly easy to setup. Just make sure to disable password login once your keyfiles are set up. Also, you should probably disable root login. If you need root access, then SSH in as a normal user then run "sudo su" and you're at your root prompt.
 
Old 08-02-2014, 12:41 PM   #6
mboelen
LQ Newbie
 
Registered: Nov 2013
Location: The Netherlands
Distribution: Several ones for testing purposes
Posts: 15

Rep: Reputation: Disabled
Or use port knocking? Open up the port dynamically for those who know the sequence.
 
Old 08-10-2014, 06:50 PM   #7
fritzxy
LQ Newbie
 
Registered: Jul 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Port knocking does not work in my case, because my home network is attached to a small home router that does not support port knocking.

I use keyfiles to connect to the ssh-server on an alternative port. Password logins have been disabled.
Would fail2ban or a similar tool improve the security in this case?
 
Old 08-10-2014, 08:48 PM   #8
mboelen
LQ Newbie
 
Registered: Nov 2013
Location: The Netherlands
Distribution: Several ones for testing purposes
Posts: 15

Rep: Reputation: Disabled
You could define a few random ports, forward them to the related server and it would be possible. No need for built-in support.

Yes, these kind of tools help in blocking evildoers trying to brute force and stop them while doing so.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with Ubuntu server remote ssh and local network ssh issues using putty. scottpops Linux - Server 8 05-17-2012 05:07 PM
Linux newbie looking for advise on a Home Network setup robertted Linux - Newbie 9 07-16-2011 05:17 PM
Com port on Ubuntu accessible to remote Win Pc via Network b0ot Linux - Networking 1 11-04-2010 04:24 PM
secure remote server from unwanted ssh logins dinakumar12 Linux - Server 4 07-02-2010 12:53 PM
Firewall advise, Running Debian_AMD64. Purley as a precaution on home network. Eeek Th£ Bear Linux - Security 7 08-03-2009 11:48 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration