Quick Links
openSUSE Forums
»
SSH related: Am I as secure as I need to be?
|
||||||
| Forums FAQ | Members List | Search | Today's Posts | Mark Forums Read |
| Network/Internet Questions about internet applications, network configuration, usage (SAMBA, network printing, NFS) |
 |
|
|
LinkBack | Thread Tools | Display Modes |
30-Sep-2009, 20:24
|
|||
|
|||
SSH related: Am I as secure as I need to be?
I'm following the "Perfect Server" guide for openSUSE on the HowtoForge website and before I move on to installing the server related applications I'd like to be sure that I've set up SSH securely since I will use that to remotely connect to and maintain the server computer from my Desktop computer. Please keep in mind this server PC will be physically located in my home and remain behind my router with my other household computers, just on a different floor. I think I've done as much, maybe more, than I need to based on the intended use and information found at these two links Securing SUSE Linux - openSUSE and Public Key Authentication - openSUSE but I am looking for a second opinion.
To protect against threats from inside my home network I have edited /etc/ssh/sshd_config to ensure only Protocol 2 is enabled, established a Public/Private key that requires a passcode to remotely log in, disabled root login, set PasswordAuthentication to no, limited MaxAuthTries to 3, and in /etc/hosts.allow limited the allowed hosts to one PC (mine) and added a deny all line as well. My concern is regarding external web based threats since this will eventually be a web server. I have no intention, or foreseeable need, to log in remotely via SSH from outside my home network; thus will not forwarding the SSH port being used from my Router to the server box coupled with the already noted settings be sufficient to prevent SSH intrusion? I thought about changing the port but since I'm not even forwarding that port in my Router to connect from the web would it really be of any benefit to change the port? Are there other security steps I should take? Thanks. 
|
|
30-Sep-2009, 20:34
|
|||
|
|||
|
Re: SSH related: Am I as secure as I need to be?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 The biggest concern, before it becomes an (exposed to the web?) web server is going to be your own box's infections. If somebody can get junk onto your desktop they could then launch an attack. If they can infect any other computer they could change that machine's IP address and then launch an attack as well in theory. Otherwise, it sounds like you've done everything you need to without limiting access to port 22 at the firewall or changing the port (just to slow things down). In the case of needing access remotely you could probably do so by enabling remote access on your desktop and then VPN-ing into your network without making any SSH or SSH server configuration changes. Good luck. imatechguy wrote: > I'm following the '\"Perfect Server\" guide for openSUSE' > (http://www.howtoforge.com/perfect-se...ensuse-11.1-p1) on the > HowtoForge website and before I move on to installing the server related > applications I'd like to be sure that I've set up SSH securely since I > will use that to remotely connect to and maintain the server computer > from my Desktop computer. Please keep in mind this server PC will be > physically located in my home and remain behind my router with my other > household computers, just on a different floor. I think I've done as > much, maybe more, than I need to based on the intended use and > information found at these two links 'Securing SUSE Linux - openSUSE' > (http://en.opensuse.org/Securing_SUSE_Linux) and 'Public Key > Authentication - openSUSE' > (http://en.opensuse.org/Public_Key_Authentication) but I am looking for > a second opinion. > > > To protect against threats from inside my home network I have edited > -/etc/ssh/sshd_config- to ensure only Protocol 2 is enabled, established > a Public/Private key that requires a passcode to remotely log in, > disabled root login, set PasswordAuthentication to no, limited > MaxAuthTries to 3, and in -/etc/hosts.allow- limited the allowed hosts > to one PC (mine) and added a deny all line as well. > > My concern is regarding external web based threats since this will > eventually be a web server. I have no intention, or foreseeable need, > to log in remotely via SSH from outside my home network; thus will not > forwarding the SSH port being used from my Router to the server box > coupled with the already noted settings be sufficient to prevent SSH > intrusion? I thought about changing the port but since I'm not even > forwarding that port in my Router to connect from the web would it > really be of any benefit to change the port? > > Are there other security steps I should take? > > > Thanks. > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJKxAdCAAoJEF+XTK08PnB5DOMP/io/uExCC+i/0+w5SfPWfKOu OubecuBeHG/Yj8fs9RZ0XgJqG7Jl63ooEnWMfFWU3KjNd/NAOkH8la/DzcQSekuL YP6IcWJ9YRULuqEb2axX1H4sYEhXsYVS5tkZJeYYqUeKZTjF1o gHPd3S3hkAuhsl kTs2e7axPflP6uN0arNVlj/vuTiKOggmKEJaf7AAD9Ek/qhOUKqLyTFXpiSaPEGP XE8EIu0vhf/cE4wxzZKnQHrkNEBp3hJyItdUcwjzOp9whX7GxZexO2lt2WTUs GFU 2/0MlCgm2ARm9OMCwJ+1acYj+V4wHoUouw6VTeCu5HRNEWge5DpJ 05I2/l9bSLfE HNSatoWOD0pNigRgDe1hAI0dq4uoe+TToK5nwm2VilT76l4CR9 CFdclANf4kdC5g c2hsvihq4S7WZiNRWgwmXmLu4wiIf+UY6+YG3CryAOY5yIEVYa szZIgCCdnB7hZV L2GZgr73pNFvehZ0nZ+vnLmpk5xZhstFPLD3prjMYfPSnxxH4y 2Th2tOEiOvHSBq b/lv05OoBcOk6H1BxXMuQu6xFkHf9nHwap/A3A8GHtDz9ZC+YSMfqrZ0VTivI+9m iesMXK9dGTCK7b/9lyNA1YRVYoPTSNBUC+pt1H6mdXIHmn/lzX3fBcr2CTYrFxao +TnmSu5A3LQQZ5abtdie =0xSQ -----END PGP SIGNATURE-----
|
|
01-Oct-2009, 11:48
|
|||
|
|||
|
Re: SSH related: Am I as secure as I need to be?
Quote:
Quote:
Quote:
Thanks for all the good information.
|
|
01-Oct-2009, 12:43
|
|||
|
|||
|
Re: SSH related: Am I as secure as I need to be?
Quote:
Quote:
The only reason for changing the port is to keep the logs clean from automated login attempts, as you block port 22 in your router, who cares about them? They won't arrive at your machine. Quote:
__________________
“Never attribute to malice that which can be adequately explained by stupidity.” (R.J. Hanlon)
|
|
01-Oct-2009, 14:26
|
|||
|
|||
|
Re: SSH related: Am I as secure as I need to be?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Sorry.... on the note about changing the port that was only to slow down somebody who made it to your "secured" workstation that had access to SSH. As that box is not windows and you don't sound dumb I imagine you're fine. Good luck. imatechguy wrote: > ab@novell.com;2046167 Wrote: >> The biggest concern, before it becomes an (exposed to the web?) web >> server >> is going to be your own box's infections. If somebody can get junk >> onto >> your desktop they could then launch an attack. If they can infect any >> other computer they could change that machine's IP address and then >> launch >> an attack as well in theory. >> > Since I'm the only one that really uses my Desktop, it runs openSUSE > and I have a guest account if someone wants to hop on for a bit I'm not > overly concerned by your points are duly noted. > > > ab@novell.com;2046167 Wrote: >> Otherwise, it sounds like you've done >> everything you need to without limiting access to port 22 at the >> firewall >> or changing the port (just to slow things down). >> > Do you mean limiting access to port 22 at the Router or Serverbox > firewall? Haven't I kind of done that by not forwarding the port in the > Router? I admit I'm still trying to learn all this but I was under the > impression that if the Router didn't "know" to forward ssh traffic on > port 22 to the serverbox such traffic would effectively go nowhere and > be rejected by the router. Am I misunderstanding how the the router > handles that traffic, what you're saying or both? > > > ab@novell.com;2046167 Wrote: >> In the case of needing access remotely you could probably do so by >> enabling remote access on your desktop and then VPN-ing into your >> network >> without making any SSH or SSH server configuration changes. >> > Ah, good information, I'll keep that in mind for future reference. > > Thanks for all the good information. > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJKxQJJAAoJEF+XTK08PnB5LYMP/0Qp2zdcTYDYpMWEA5xO9Fli ow9n+P7lg88hRS2xvXstkTi/kiGmjpv8CcO4KUOcoSJPfaeo8Ztjav+Qoe4pTzmy H61C61BgoJRUW0LJ9RMvDJ4ZzfWGB5vGFGCUGa+LY8kkkWhEPy 5awEvOYjeUxbc9 2iQYf/n9U8APzbWrtWUlsyZEcm2W9QMPbwCN3Fw/KC/x5OIu/5ElFDw0jeY/iAI3 DtmfxkpurwUiorUbaYdMZu7UNKWK261M2L4AUV9q7L73ZIpzP6 +CzvxyRnd4Mj33 HqTNoSBKlM+mSPvmvb+Q33jOvxJTRk34XaJpFOrFNXFr6by0za fb9x9hXOyLMJO2 XbzYqsZ0T5OtzC5hYudXvj0pNs007wFSx8mLTZny/SNWAQ+85gPcjHbOn8mpLiHY YssBihMQVQVbkMOxEaohEAwNMM1W6T5cH7BhT8I2EXg1MSgBgJ +fl1uYNYNo+day RTt6ICamgSqDlrec1wdIlqlEBQ9cGM6SqGNFWb5Oy+72gGRtlo HexbNV/FFRv/zE 4NuLlLzSnSXh9apRLDii62+iyPLfk3bgQD/9GQr8yen8hWIikieTNEibLe9Vd3/p L3hxof3n673/B7t+QHzjBNdPM0Vq9Gim1s1F2XhIfHYIXgGe7R1i8OGH7UXRW5 Tj Isme+qzxcWSzRAxqg3Us =kit0 -----END PGP SIGNATURE-----
|
|
01-Oct-2009, 15:04
|
|||
|
|||
|
Re: SSH related: Am I as secure as I need to be?
Quote:
Quote:
|
|
01-Oct-2009, 21:25
|
||||
|
||||
|
Re: SSH related: Am I as secure as I need to be?
Quote:
Another good one with a lot of OpenSUSE-specific info is by one of this forum's regulars, Swerdna. Linux HOWTOs and Tutorials: Suse Linux 10.0, 10.1 openSUSE 10.2, 10.3, 11.0, 11.1 Quote:
 Quote:
However ... I will say this. This is just my opinion, so take it for what it's worth: For publicly-exposed servers, I *do* change the ports whenever possible. That's not always practical with a Web or mail server, obviously, because clients will expect to see those on the standard ports (25, 80, et. al.). But I DO change the ports on servers that should have very limited access. Perfect example: we are required to expose VNC for some of our support services. When it was on the standard 5900-5910 port number(s), we were CONSTANTLY getting hammered by script kiddies. These kids use automated search bots to find common, open ports, and if you look intriguing enough, they'll start trying to guess your password. I don't care how good that password is, either, eventually, one of them could get lucky. When we changed that to a non-standard port number (and notified our support people of the change, of course), our attacks dropped to zero. Nada. Zilch. So, it DOES make a difference to change ports in *practice.* There's a difference between theory and practice. In theory, there's no way to truly secure your home against a thief. In practice, if you just keep a low profile (ie, "change the port") and make it difficult enough to enter (ie, "use a good password"), the thief will normally give up and move on to the next home (he'll skip you and try someone else!). Likewise, while *in theory*, someone could still attack you if you don't use port 22 for SSH, the odds drop dramatically. The cracker has only a 1 in 65535 chance of guessing the port number. He could run a "brute force" NMAP scan for open ports, but he's only going to do that if he thinks you're worth the bother, because a full-blown NMAP scan can take HOURS. Unless you are so intriguing and/or offer rewards that make such an effort worth it, he won't even bother. His script will try port 22, if it sees no immediate response, it'll move to the next IP address. Theory vs. practice. I go with practice every time. And no, given what you described, I can't think of anyway to make your SSH more secure. Now, when you install the Web server, just use common sense: use the latest version of Apache, keep it updated, etc., etc. But you're smart enough to know that.
|
|
01-Oct-2009, 21:32
|
||||
|
||||
|
Re: SSH related: Am I as secure as I need to be?
PS - once you expose that Web server, it's a judgement call as to whether you disable incoming pings (your router probably has a setting for that). But we're really getting off-topic, now.
|
|
01-Oct-2009, 21:51
|
|||
|
|||
|
Re: SSH related: Am I as secure as I need to be?
@ smpoole7 - Thanks for the info, I hadn't really thought that far ahead yet, like I said one thing at a time
. And yes, the information available from the community is superb and always leaves me wondering what took me so long to ditch Windows. I ought to be able to change the port for most everything since when I finally put this box on the web as a server the only thing joe public would need access to would be the Webpages themselves (no email or other functionality); not that there isn't danger enough in that. What you say makes sense but are things the person doing this for the first time may not consider so the advice is appreciated and I will take heed of it. Thanks.
|
|
| Bookmarks |
| Tags |
| lockdown, security, server, ssh |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
© 2007 Novell, Inc. All Rights Reserved.
This site uses the YAML CSS framework.
All times are GMT -6. The time now is 09:16.
About openSUSE | Disclaimers | Feedback
About openSUSE | Disclaimers | Feedback
