LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-29-2007, 03:09 PM   #1
IsaacKuo
Senior Member
 
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian Stable
Posts: 2,546
Blog Entries: 8

Rep: Reputation: 465Reputation: 465Reputation: 465Reputation: 465Reputation: 465
Will this way to secure SSH behind firewall work?


I have a hardware firewall which currently doesn't forward any ports "inside". Will the following work?

1) Add new user "aqdfh" on Debian computer, with random string password.

2) Decide some particular nonstandard port, like 18267.

3) Set my hardware router to port forward 18267 to the Debian computer.

4) Install openssh-server on the Debian computer.

5) Configure openssh-server to only allow login of user "aqdfh".

Is that good enough?

Obviously, I'm going to use different names/numbers than "aqdfh" and "18267".

Once "in", I'm aware that the default ssh shell login is capable of all sorts of things--which I want to be able to do. I just want one centralized "front door" that's secured--a single forwarded port which admits exactly one user with a difficult to guess password.

Thanks!
 
Old 05-29-2007, 04:10 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
wouldn't recommend different port numbers unless you have a really good reason to. obscurity is not security. same goes for a pseudo-random username. dictonary attacks use standard names... root, admin, webmaster, alice, bob, carol, dave... additionally you should look towards private key authentication instead of passwords. if ssh won't accept passwords at all, a password can *never* be guessed.
 
Old 05-29-2007, 04:17 PM   #3
troybtj
LQ Newbie
 
Registered: May 2007
Location: South Dakota
Distribution: Debian Etch (8), XP (1), FreeBSD (1), HP-UX (1)
Posts: 23

Rep: Reputation: 15
I'd recommend using an identity key on the client, adding the public ssh key to ~/.ssh/authorized_keys

Another package I've found useful is Fail2Ban, and I set the limit of failed logins at 1 before the inbound IP is banned by iptables.

I disable password authentication in sshd_config once I have my .ssh/authorized_keys appended with my different clients.

For a linux ssh in, sftp .ssh/id_rsa.pub from the system you will be coming from to ~/ on your inside/protected server, then cat id_rsa.pub >> .ssh/authorized keys

For SecureCRT, generate a key, sftp Identity.pub to your home directory, then cat Identity.pub >> .ssh/authorized_keys

If you don't know where you will be coming from, download putty and put puttyssh with your key on a jump drive, doing the same to add the public key to the authorized_hosts on the server you are going to. Then you can plug the jump drive into whatever system you are at, run putty from there, and you are good to go. Be sure to use the jump drive tools to protect it, and don't lose it or leave it plugged into a public system.

Once Password authentication is turned off, fail2ban takes care of quite a few people trying to guess accounts.

Last edited by troybtj; 05-29-2007 at 04:20 PM. Reason: added jump drive details
 
Old 05-29-2007, 05:06 PM   #4
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
Quote:
Originally Posted by acid_kewpie
wouldn't recommend different port numbers unless you have a really good reason to. obscurity is not security. same goes for a pseudo-random username. dictonary attacks use standard names... root, admin, webmaster, alice, bob, carol, dave... additionally you should look towards private key authentication instead of passwords. if ssh won't accept passwords at all, a password can *never* be guessed.
There's nothing wrong with changing to a non-standard port, as long as there are other security methods being used. Even if he was using a default install (non-keybased authentication), changing the port won't put him in any danger of being exploited...one port is as good as another. Now, if he's disillusioned into thinking that changing the port will make his server more hardened, he's wrong, but not necessarily in danger.
 
Old 05-29-2007, 05:17 PM   #5
IsaacKuo
Senior Member
 
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian Stable
Posts: 2,546

Original Poster
Blog Entries: 8

Rep: Reputation: 465Reputation: 465Reputation: 465Reputation: 465Reputation: 465
Quote:
Originally Posted by acid_kewpie
wouldn't recommend different port numbers unless you have a really good reason to. obscurity is not security.
It doesn't hurt. I've read enough reports that there are lots of break-in attempts on the standard ssh port but far fewer on a random port.

Quote:
same goes for a pseudo-random username. dictonary attacks use standard names... root, admin, webmaster, alice, bob, carol, dave...
Huh? A random string userid isn't going to be in a dictionary. Doesn't this argue in favor of a random string userid?

Quote:
additionally you should look towards private key authentication instead of passwords. if ssh won't accept passwords at all, a password can *never* be guessed.
The private key can still be guessed--which is exactly as easy as guessing a random string password of equivalent bit-length. For example, 128bits is roughly equivalent to 22 alphanumeric characters.

Quote:
Originally Posted by troybtj
I'd recommend using an identity key on the client, adding the public ssh key to ~/.ssh/authorized_keys
For various reasons, I'd rather have a long and complex password rather than a thumbdrive. Naturally, I'll also keep a note of the public key of my Debian machine.

Still, I'll use private key authentication for ssh on my main server, at some point. I eventually intend to experiment with rsync to backup my mom's photos and scans (she produces prodigious amounts of artwork, but she simply isn't computer savvy enough to deal with a backup regime).

Quote:
Another package I've found useful is Fail2Ban, and I set the limit of failed logins at 1 before the inbound IP is banned by iptables.
That's something I'll add on at some point; obviously since I'm going to be manually typing in a long password I'll set the number of failed logins to something a bit higher.

I figure that a bot-attack would tend to come from a zillion different IP addresses, but even so Fail2Ban can't hurt.
 
Old 05-29-2007, 05:28 PM   #6
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
I feel that random port can increase security in some way - it never prevents any serious attack, or makes it harder, but instead there are less very dumb attacks and so logs are smaller and easier to read - and there is a chance the attack will be noticed at all.
 
Old 05-29-2007, 06:50 PM   #7
IsaacKuo
Senior Member
 
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian Stable
Posts: 2,546

Original Poster
Blog Entries: 8

Rep: Reputation: 465Reputation: 465Reputation: 465Reputation: 465Reputation: 465
Funny...coincidentally someone just posted this: LXer: Security Through Obscurity? It's Not All Bad
 
Old 05-30-2007, 01:39 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
well i said i "wouldn't recommend" not "will hunt you down with an axe"... there's no harm in it, but if i were to write the book on the subject, i wouldn't make that suggestion, that's all. somethign like the use of fail2ban is much more intelligent.
 
Old 05-30-2007, 02:17 AM   #9
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
Sorry, I understood "wouldn't recommend" as "it will be a bit worse". So I decided to express my opinion why it will be a bit better. But surely, fail2ban (keeping in mind botnet sizes nowadays) and even a port scanning detection tool (which will benefit a lot from a non-default port, unless adversary has control of a box next to some box in your usual routing path - and so can sniff traffic, which is not often) will give more. But it adds up, anyway. It'll give just 14 more random bits of safety, which are easy to use in a "3 failures give 10 seconds of timeout" manner. Just as with fail2ban and random login in addition to random password (as login failures are stored in logs cleartext, you can easily distinguish someone knowing username, but misspelling it from someone trying to guess - even a program can).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
work firewall blocks ssh traffic c_mitulescu Linux - Networking 3 07-12-2006 01:44 PM
LXer: University of Michigan Selects SSH Tectia for Secure System Administration and Secure File Transfers LXer Syndicated Linux News 0 04-25-2006 12:54 AM
SSH /firewall problems with mdk 10.0 linux-secure thomas.nichols Mandriva 3 03-25-2005 03:13 PM
is this secure without a firewall? shanenin Linux - Security 2 01-09-2004 01:56 AM
Getting around a work firewall with ssh Erice60rng Linux - Security 4 01-21-2003 07:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration