Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
02-16-2006, 01:16 PM
|
#1
|
Senior Member
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905
Rep:
|
Question About SSH
I use SSH from my work machine (FC3) to tunnel into my home sever (Debian) and I was wondering if that is safe or if anyone from work can hack my work machine and see my files on my home PC (Debian)? I have lots of personal data and some directories have the usual not safe for work videos. Is SSH secure or are my worries valid concern?
|
|
|
02-16-2006, 01:59 PM
|
#2
|
Member
Registered: Sep 2003
Location: UK
Distribution: I use 'em all ;-)
Posts: 275
Rep:
|
Providing that your passwords are secure, it should be fine.
A more secure way is to use public/private key access for SSH.
|
|
|
02-16-2006, 02:28 PM
|
#3
|
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep: 
|
It is called Secure Shell.  With strong passwords, you should be fine.
|
|
|
02-16-2006, 05:44 PM
|
#4
|
Member
Registered: Jul 2003
Distribution: OpenSuse 10, Debian
Posts: 152
Rep:
|
Personally I use ssh and believe it to be safe. One thing I would suggest
(which you might already be doing) is to make sure you have a separate
dedicated machine running as a firewall(or at the very least a "software"
firewall). You can then limit access to a certain mac address, ip, or
whatever. It could still be spoofed but would require more work and
knowledge. Just another layer on top of a good random passphrase.
Also, always check the logs.
Zackarya
|
|
|
02-19-2006, 02:21 AM
|
#5
|
Member
Registered: Feb 2004
Location: Wichita, KS
Distribution: CentOS 4, SuSE 10, Tiger
Posts: 110
Rep:
|
You could always use public key authentication. If you used that you could make it so someone connecting would have to have your username, private key, and the key phrase for the private key. Also make sure that only you(not other users/system users) can telnet in. I've had security issues in the past where people got in through system accounts(specifically postgres) that presumably had a default password. (I know, I know, that was really bad on my part. But in my defense, I totally forgot that I had port 22 forwarded through NAT.  )
|
|
|
02-22-2006, 09:08 AM
|
#6
|
LQ Newbie
Registered: Feb 2006
Location: Florida
Distribution: SuSE, Debian, PCLINUX2007
Posts: 13
Rep:
|
Let me start off by saying...SSH is a safe way of connecting. Make sure that you keep up with any security patches. On your server to lock it down better, I would suggest running an IP table firewall if you are not doing it already. Change the SSH port to something other than 22 and not another common port, for example 51000. On your firewall, only allow the ports you need inbound. As a word of advise be careful at work and how much time you spend connecting to home. At work, I happen to be in the security department and one of our roles, not only monitoring inbound connections, is also monitoring all outbound connections (watching employees). I would be less concerned about your work hacking your PC and seeing your files, as I would be with how much time their reports show you connection to your home server.
|
|
|
02-22-2006, 02:12 PM
|
#7
|
Member
Registered: Sep 2002
Posts: 310
Rep: 
|
Using public key authentication is the way to go, as mentioned earlier by imemyself.
The additional suggestion by mikebudohiee of moving the daemon to listen on a different port is also valuable as well. However, I don't recommend going above 1023. Keep it in the range of privileged ports (0-1023).
If you think of a port (for example, 1022) and want to see if it's already used by a service, you can run the commands:
Code:
grep 1022 /etc/services
netstat -tlnp | grep 1022
|
|
|
02-23-2006, 08:35 AM
|
#8
|
LQ Newbie
Registered: Feb 2006
Location: Florida
Distribution: SuSE, Debian, PCLINUX2007
Posts: 13
Rep:
|
Since you server is accessible via the Internet…configuring public key authentication as mentioned by “imemyself” would definitely make it even more secure. Also, if not done already verify that root login is turned off for SSH: “under sshd_config; PermitRootLogin no” chances are you already done this but sometimes we forget. The reason I mentioned a tcp high port was that if someone runs a standard port scan, or xmas tree scan, chances are they will not find it. It forces them to scan all 65535 ports. Then again I am not running public key auth so a banner grab is easy. I am getting off tangent. To answer your original question…Yes SSH is a secure way of connecting.
|
|
|
02-23-2006, 09:00 AM
|
#9
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
In general, services started by root are set on priviledge ports. There are 1023 priviledge ports and 64512 unpriviledged ones. Maybe you could use the unpriviledged one, not in this list:
http://www.glocksoft.com/trojan_port.htm
Anyway, nmap -sV will discover ssh even if it is on an uncommon port, but at least it removes some noise.
|
|
|
02-23-2006, 11:27 AM
|
#10
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,097
|
Generally, although SSH encrypts all communications (which is good), in its default configuration it still has limitations ... all of which are avoidable: - It allows login as root.
- It accepts "username/password" authentication, giving any challenger the opportunity to present user/pass combinations to your system. (If you're not paying attention to your user-id list... etc.)
If you use public-key authentication, a great big door is slammed shut: only visitors who can "show their badge" are permitted to even approach the door.
If you have a VPN-equipped router (or can get one), the situation is even stronger.
In the real world, you don't get into someone's office building just by saying magic words. You show a badge .. some token that is difficult to forge and that clearly is identified as belonging to you and you alone. If the company wants to exclude you, they don't have to teach all the other employees new magic words. You can't "tell your badge to" someone else. And so on. It makes sense. It's just (erroneously) perceived as being "difficult" and so it is not commonly done.
|
|
|
All times are GMT -5. The time now is 10:09 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|