I'm trying to make my home network secure enough while still allowing me to log on from the outside, using ssh. This is not a large network, just two PC's at home and a laptop I'm using for travel. (I need to use occasionally software that is only licensed for one PC which is at home, that's why).

I would like to know how to set it up so that only my laptop can log on and no other machine, e.g., by communicating a key, or in general that only a computer for which the key is apriori known by my home PC can log in.

I know that these methods exist but don't understand how to set it up properly and securely (I actually tried this long time ago and failed).

Here is what I have done thus far:

One of the home PC's runs Suse 10 Linux. On the linksys router I set up a forward of port 22 to this machine, and that's the only channel that is open.

I tested this by login from a cafe (wireless)using my laptop (Fedora core 5). And indeed I could log on with ssh (of course I needed to find out my IP address before, which stays usually the same).

After returning home, I found that a few minutes after I had succeeded to login there had been a series of attempted logins from some location probably in China, e.g.:

May 6 10:02:14 xxdeletehostdxx sshd[8960]: Invalid user feng from 218.25.62.92

there were about 100 lines like that in short order in /var/log/messages with all kinds of names, e.g., dvd, fax, and proper names.

Following some reading here and elsewhere I put the restricting statements

AllowGroups users
AllowUsers (my uid only).


in my sshd_config file. There got to be more security possible if I make sure that only recognized machines can log on: But if I am on an unsecured public network somewhere, how can my laptop properly communicate to the home PC that it is the proper machine? How can it transmit with security the info: "It's me, and I'm not the big bad wolf, and I can prove it:" followed by 1024 encrypted numbers.

Among the many tutorials and articles available I haven't found a single one that really really helped: It's either oversimplifying or overburdening. The more detailed tutorials are often too complicated and assume that it is about securing the network of a large organization.

I would be very happy if someone could point out some good links here.

Thanks to all,

R.

The best description of how to do public key authentication is here in the LQ Tutorials section. If you switch to key only authentication, and only set up the keys on your laptop, then that would be the only machine that could access the ssh server.

You can either ignore those (particularly if you disable username/password authentication) or have sshd listen on some port other than 22, which will reduce their frequency. There are also programs out there like sshblack that will monitor your logs and then modify your firewall to drop these script kiddies. If you check out the Failed SSH Login sticky at the top of the forum, there is all sorts of info on things you can do.

I agree with the above and can tell you that it works well.

If you have a dynamic IP address then you might consider using one of the free dynamic DNS services around such as DynDNS.org to give you a fixed domain name. Very useful when the home DSL re-negotiates while on the road.

Thanks a lot for the infos. The whole setup was much easier than I expected and
it seems to work alright (a good warning may be in place that one should never
never mix up ssh_config and sshd_config: I got them crossed and nothing worked
for a quite a while. Glad I made updates...)

My only remaining problem is now to put something similar together for windoze,
since I have occasionally the same linux box running on XP for other work.
would actually be cool if I could from remote shut it down and boot either linux or
windows.

You might do some googling and see if there are any native Windows ssh servers, otherwise you might try loading Cygwin, which does have an ssh server.

As for the booting into either Windows or Linux, that could be a problem. Off the top of my head, I would think that you would need two configuration files for GRUB or LILO, one with XP as the default and one with Linux as the default. Personally, I've never come across a boot loader that lets you pick the OS in advance of the reboot, but that may be more a reflection of my ignorance than reality.

lilo let's you do it... i would expect grub too, but i don't use grub so i'm not sure...

from "man lilo":

Is there a version of lilo for windows? Obviously you'd want to be able to select which to boot from either OS.

With grub, you can set the default os to boot with the 'default' option. The argument is just the number of the os to boot, counting from zero. While I don't know of an option similar to lilo's -R, you could use perl to do in-place replacement to toggle the default.

Of course, in order to access the menu.lst from Windows, you'd have to put /boot on a fat fs and obviously you'd need to install perl on Windows. If you don't have a separate /boot partition and no free disk space, you'd need to resize a partition. If /boot is on a separate partition, then there's no problem.

For example, assuming Linux is listed first in menu.lst and windows is second (adjust if you have e.g. more than 1 kernel).

boot-windows:

and a similar "boot-linux" batch file on Windows, substituing 0 for 1 (and adjust whatever the path to the menu.lst would be).

Thanks ioerror, I think the only remaining problem is to find out how to reboot windows from remote, assuming that I can solve the problem of securely login to XP from outside. It does not matter that it would by default boot linux. Then under linux I should be able to use your method to choose either linux or windows for the next boot.

If I reboot, the machine would of course shut me out and go down. It would then by default go to linux, and I could log on again a few minutes later. Under Suse 10.0, which I have on that system, it is possible to reboot with a parameter that would force it to go to the non default. I'll have to figure out how it's done, but it's got to possible: If one clicks reboot from the console, it will simply reboot and one has to choose later which operating system. But if I keep the mouse button pressed down for a while and not releasing it immediately, a menu comes up that allows to choose which OS should be booted up. So I need to figure out how to do this by a command line.

Install cygwin on the windows machine. Then install/configure the sshd in cygwin. You can make sshd a service in Windows which lets you start/stop it the standard windows way.

I have a commercial server for my ASP that runs Win2K. I have Cygwin installed on it and my ASP app has a command mode that I can invoke to remotely start/stop sshd, proftpd, and VNC. I fully maintain the server remotely, and I can also remotely restart it (being windows, I have to do that every now and then).

You could do what you want to do with remote restart, presuming you use grub as your bootloader and you are willing to edit the menu.lst file that grub uses to change the default boot before restarting, in order to specify which OS to come up in.