|
How to secure my router and pc for remote access via dyndns + ssh?
Hi
I have Debian Wheezy running as my desktop that I currently have remote access to by way of a dyndns script running on my (Mikrotik) router that's forwarding ports 22 and 5900-5905 to my pc. This is great as I have remote cli access to my pc via ssh from where I can turn on vnc4server if I like and then access desktop via vnc as I've forwarded ports 5900-5905 to my pc too. In addition the dyndns script on my router gives me remote access to my Mikrotik router. (Currently I'm en/disabling all port forwarding on router before/after each use for security) While this is all great; how secure is my pc and router and what steps can I take to secure both my router and pc without loosing the above remote access I currently have? Thanks |
Check your router docs and settings to see what ports are open from the internet and what ports are forwarded to other hosts. You can also use a tool like nmap from an internet host to scan your router IP address. Once you know what ports are exposed from the internet you can address each one.
As far as your SSH install goes, there are plenty of tutorials out there on securing it - I don't allow root logins or password authentication. I also limit the users with AllowUsers. To cut down on log entries, I also don't run the daemon on port 22. |
|
I agree with the former post about not running ssh on port 22. You can do so on your linux host, but run a forwarding rule on your router so that externally the ssh port is something in the private range - meaning that you're using a port in the 49152–65535 range externally, but mapped by the router to port 22 on your PC. That way you're unlikely to get port-scanned by people who have little to do and port-scan for open ssh ports on the net.
You need not open ports 5900-5905. You can tunnel these vis the same ssh session. Finally I would run fail2ban on the sshd, so that failed login attempts can be logged/banned. You can whitelist your usual IP addresses you acess externally. This makes access to your PC pretty secure. BUT remember, a really lame login/passwd combination kills everything mentioned above. Regards. |
if your router can map different ports (external/internal) then that is a fast easy way to cut down on script kiddies trying to hack port 22.
example on the router set the external port of 222222 and map it to internal 22, use what ever number scheme you want for the external, then you are set a bit safer. also make sure that root is NOT able to ssh in directly to your linux box. this forces crackers to crack one more p/w before they own your system, that is if they can guess the port you are forwarding for ssh. i do this with multiple external ports mapped to different computers on my LAN all to port 22. made up example of this: external port 1234 mapped to 22 on computer 1. external port 5678 mapped to 22 on computer 2. etc... this allows you to directly ssh into the computer without having to ssh into computer 1, then from computer 1 over to computer 2, or 3, or etc... just a nice little shortcut if your router can handle this type of basic routing. |
Quote:
|
| All times are GMT -5. The time now is 02:44 PM. |