LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-20-2005, 01:27 PM   #1
Optimistic
Member
 
Registered: Jun 2004
Location: Germany
Distribution: Debian (testing)
Posts: 276

Rep: Reputation: 33
Is Allowing SSH Safe?


Hello All,

I like to have the option to grap files off my desktop (Debian Sarge) when I'm away with my Laptop (Slack 10) so I forwarded port 22 to my IP address with my router and allowed SSH conections with my firewall (firestarter). Is this safe? Is there anything that I should make sure that I do in order to make it as safe as possible? I do grab the latest updates every week or so with apt-get and swaret. My passwords are long and complicated.

If this isn't safe, is there a way to do what I want in a safe way?
 
Old 03-20-2005, 01:37 PM   #2
cylix
Member
 
Registered: Dec 2004
Location: Ohio
Distribution: Fedora Core 3
Posts: 125

Rep: Reputation: 15
It's not unhread of to have exploits in sshd.

Now, don't get me wrong, I truely do believe openssh is a solid piece of software, but it really depends on how much security you want.

It's probably safe enough for home use, but it's really all about tastes.

If you want to take an additional step, I would recommend using hosts.allow/deny to limit which ip addresses or subnets can connect to your server.

Of course, if you really want to go over board you can implement port knocking, but that's probably a bit too much.

I would say limiting connections by IP would probably be just enough for home use.
 
Old 03-20-2005, 01:39 PM   #3
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
SSH is the safest file transfer protocol. There are a couple of easy things that you should do to make it absolutely secure:

1) Disallow root logins (since that account will be targetted). To do this set a line in /etc/ssh/sshd_config:

PermitRootLogin no

2) Don't allow SSH v.1 connections, only v. 2. The line is:

Protocol 2

3) Use keys rather than passwords: a keyfile includes several hundred characters....
 
Old 03-20-2005, 01:40 PM   #4
JediGuy_bob
LQ Newbie
 
Registered: Apr 2004
Location: Albuquerque/Chicago
Posts: 22

Rep: Reputation: 15
I would say that it is safe. With good firewall protection and limited ssh connections you should be fine. Suscribe to the debian-security mailing list or a simmilar one for ssh to make sure that openssh vulnerabilities don't become a problem.

I would worry too much about getting the latest ssh client with apt-get every week but I'd be more concerned with getting new security updates every time a new update is issued.
 
Old 03-20-2005, 01:43 PM   #5
Optimistic
Member
 
Registered: Jun 2004
Location: Germany
Distribution: Debian (testing)
Posts: 276

Original Poster
Rep: Reputation: 33
Wow, thanks for the quick tips!

I set the Allowroot setting to no in sshd_config--isn't that a bit odd that the default is yes?

Thanks again everyone.
 
Old 03-20-2005, 03:29 PM   #6
soulstace
Member
 
Registered: Mar 2005
Location: USA
Distribution: Knoppix
Posts: 64

Rep: Reputation: 15
Quote:
Originally posted by Optimistic
I set the Allowroot setting to no in sshd_config--isn't that a bit odd that the default is yes?
I'd say so.

But isn't still possible to gain root access even tho you have Allowroot setting to NO? I read somewhere that once you're in and have a bash prompt, just do a su to get root privileges?
 
Old 03-20-2005, 03:36 PM   #7
ahh
Member
 
Registered: May 2004
Location: UK
Distribution: Gentoo
Posts: 293

Rep: Reputation: 31
You would need the root password to su, and hopefully it would be a good one.

It is also possible to disable su.
 
Old 03-21-2005, 04:03 AM   #8
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
To clarify the root login thing -

Automated attacks will try to connect to your SSH service with a username that is known to exist on all UNIX systems (root) and try various passwords. The option to stop root logins means that any attempt to login with SSH using the username "root" will automatically fail. You then login with your unique personal account and use "su" or "sudo" for getting root power as you need it.

Using keys and disabling authentication with passwords stops anything that tries to get in by guessing passwords. Easy to setup and it's really cool not to have to type a password every time.

Since you don't know which networks your laptop will be on when you travel, you can't restrict SSH connections to specific IP addresses only, which is a common defence.
 
Old 03-21-2005, 07:46 AM   #9
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Some other options to experiment with are setting a VPN or using one of those "port knocking" utilities.
 
Old 03-21-2005, 11:39 AM   #10
Optimistic
Member
 
Registered: Jun 2004
Location: Germany
Distribution: Debian (testing)
Posts: 276

Original Poster
Rep: Reputation: 33
Good points hob.

I will look into setting up the keys. I've just started to experiment with Networking--I figured I would do i t with my Linux boxes first (since I know that better) and then try to talk to my roomate's WinXP computer with Samba.
 
Old 03-21-2005, 01:58 PM   #11
KimVette
Senior Member
 
Registered: Dec 2004
Location: Lee, NH
Distribution: OpenSUSE, CentOS, RHEL
Posts: 1,794

Rep: Reputation: 46
Short of a VPN appliance between the box and outside world, SSH is probably the most secure way to connect.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
safe guarding your system by not allowing anyone to login as root abhis_mail2002 Fedora 6 05-14-2006 02:58 AM
Allowing SSH to accepts ANY Password mperkel Linux - Security 14 11-01-2005 11:42 AM
Allowing ssh ftp through the firewall jmg1894 Linux - Newbie 5 07-08-2004 02:42 PM
Apache server allowing ssh codefather Linux - Software 8 06-26-2003 01:50 PM
Allowing for incoming ssh InsaneBob Linux - Software 11 04-12-2003 01:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration