SSH related: Am I as secure as I need to be?

I’m following the “Perfect Server” guide for openSUSE](http://www.howtoforge.com/perfect-server-opensuse-11.1-p1) on the HowtoForge website and before I move on to installing the server related applications I’d like to be sure that I’ve set up SSH securely since I will use that to remotely connect to and maintain the server computer from my Desktop computer. Please keep in mind this server PC will be physically located in my home and remain behind my router with my other household computers, just on a different floor. I think I’ve done as much, maybe more, than I need to based on the intended use and information found at these two links Securing SUSE Linux - openSUSE and Public Key Authentication - openSUSE but I am looking for a second opinion.

To protect against threats from inside my home network I have edited /etc/ssh/sshd_config to ensure only Protocol 2 is enabled, established a Public/Private key that requires a passcode to remotely log in, disabled root login, set PasswordAuthentication to no, limited MaxAuthTries to 3, and in /etc/hosts.allow limited the allowed hosts to one PC (mine) and added a deny all line as well.

My concern is regarding external web based threats since this will eventually be a web server. I have no intention, or foreseeable need, to log in remotely via SSH from outside my home network; thus will not forwarding the SSH port being used from my Router to the server box coupled with the already noted settings be sufficient to prevent SSH intrusion? I thought about changing the port but since I’m not even forwarding that port in my Router to connect from the web would it really be of any benefit to change the port?

Are there other security steps I should take?

Thanks.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The biggest concern, before it becomes an (exposed to the web?) web server
is going to be your own box’s infections. If somebody can get junk onto
your desktop they could then launch an attack. If they can infect any
other computer they could change that machine’s IP address and then launch
an attack as well in theory. Otherwise, it sounds like you’ve done
everything you need to without limiting access to port 22 at the firewall
or changing the port (just to slow things down).

In the case of needing access remotely you could probably do so by
enabling remote access on your desktop and then VPN-ing into your network
without making any SSH or SSH server configuration changes.

Good luck.

imatechguy wrote:
> I’m following the ‘“Perfect Server” guide for openSUSE’
> (http://www.howtoforge.com/perfect-server-opensuse-11.1-p1) on the
> HowtoForge website and before I move on to installing the server related
> applications I’d like to be sure that I’ve set up SSH securely since I
> will use that to remotely connect to and maintain the server computer
> from my Desktop computer. Please keep in mind this server PC will be
> physically located in my home and remain behind my router with my other
> household computers, just on a different floor. I think I’ve done as
> much, maybe more, than I need to based on the intended use and
> information found at these two links ‘Securing SUSE Linux - openSUSE’
> (http://en.opensuse.org/Securing_SUSE_Linux) and ‘Public Key
> Authentication - openSUSE’
> (http://en.opensuse.org/Public_Key_Authentication) but I am looking for
> a second opinion.
>
>
> To protect against threats from inside my home network I have edited
> -/etc/ssh/sshd_config- to ensure only Protocol 2 is enabled, established
> a Public/Private key that requires a passcode to remotely log in,
> disabled root login, set PasswordAuthentication to no, limited
> MaxAuthTries to 3, and in -/etc/hosts.allow- limited the allowed hosts
> to one PC (mine) and added a deny all line as well.
>
> My concern is regarding external web based threats since this will
> eventually be a web server. I have no intention, or foreseeable need,
> to log in remotely via SSH from outside my home network; thus will not
> forwarding the SSH port being used from my Router to the server box
> coupled with the already noted settings be sufficient to prevent SSH
> intrusion? I thought about changing the port but since I’m not even
> forwarding that port in my Router to connect from the web would it
> really be of any benefit to change the port?
>
> Are there other security steps I should take?
>
>
> Thanks.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJKxAdCAAoJEF+XTK08PnB5DOMP/io/uExCC+i/0+w5SfPWfKOu
OubecuBeHG/Yj8fs9RZ0XgJqG7Jl63ooEnWMfFWU3KjNd/NAOkH8la/DzcQSekuL
YP6IcWJ9YRULuqEb2axX1H4sYEhXsYVS5tkZJeYYqUeKZTjF1ogHPd3S3hkAuhsl
kTs2e7axPflP6uN0arNVlj/vuTiKOggmKEJaf7AAD9Ek/qhOUKqLyTFXpiSaPEGP
XE8EIu0vhf/cE4wxzZKnQHrkNEBp3hJyItdUcwjzOp9whX7GxZexO2lt2WTUsGFU
2/0MlCgm2ARm9OMCwJ+1acYj+V4wHoUouw6VTeCu5HRNEWge5DpJ05I2/l9bSLfE
HNSatoWOD0pNigRgDe1hAI0dq4uoe+TToK5nwm2VilT76l4CR9CFdclANf4kdC5g
c2hsvihq4S7WZiNRWgwmXmLu4wiIf+UY6+YG3CryAOY5yIEVYaszZIgCCdnB7hZV
L2GZgr73pNFvehZ0nZ+vnLmpk5xZhstFPLD3prjMYfPSnxxH4y2Th2tOEiOvHSBq
b/lv05OoBcOk6H1BxXMuQu6xFkHf9nHwap/A3A8GHtDz9ZC+YSMfqrZ0VTivI+9m
iesMXK9dGTCK7b/9lyNA1YRVYoPTSNBUC+pt1H6mdXIHmn/lzX3fBcr2CTYrFxao
+TnmSu5A3LQQZ5abtdie
=0xSQ
-----END PGP SIGNATURE-----

Since I’m the only one that really uses my Desktop, it runs openSUSE and I have a guest account if someone wants to hop on for a bit I’m not overly concerned by your points are duly noted.

Do you mean limiting access to port 22 at the Router or Serverbox firewall? Haven’t I kind of done that by not forwarding the port in the Router? I admit I’m still trying to learn all this but I was under the impression that if the Router didn’t “know” to forward ssh traffic on port 22 to the serverbox such traffic would effectively go nowhere and be rejected by the router. Am I misunderstanding how the the router handles that traffic, what you’re saying or both?

Ah, good information, I’ll keep that in mind for future reference.

Thanks for all the good information.

Sounds very secure to me, it’s even more restrictive than my setup due to the hosts.allow entry.

No, changing the port will not improve security, especially in this case.

The only reason for changing the port is to keep the logs clean from automated login attempts, as you block port 22 in your router, who cares about them? They won’t arrive at your machine.

Quite right, but there you should be concerned about the security of your web server, which is the real risk then, (further) securing your SSH connection won’t help you there.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry… on the note about changing the port that was only to slow down
somebody who made it to your “secured” workstation that had access to SSH.
As that box is not windows and you don’t sound dumb I imagine you’re fine.

Good luck.

imatechguy wrote:
> ab@novell.com;2046167 Wrote:
>> The biggest concern, before it becomes an (exposed to the web?) web
>> server
>> is going to be your own box’s infections. If somebody can get junk
>> onto
>> your desktop they could then launch an attack. If they can infect any
>> other computer they could change that machine’s IP address and then
>> launch
>> an attack as well in theory.
>>
> Since I’m the only one that really uses my Desktop, it runs openSUSE
> and I have a guest account if someone wants to hop on for a bit I’m not
> overly concerned by your points are duly noted.
>
>
> ab@novell.com;2046167 Wrote:
>> Otherwise, it sounds like you’ve done
>> everything you need to without limiting access to port 22 at the
>> firewall
>> or changing the port (just to slow things down).
>>
> Do you mean limiting access to port 22 at the Router or Serverbox
> firewall? Haven’t I kind of done that by not forwarding the port in the
> Router? I admit I’m still trying to learn all this but I was under the
> impression that if the Router didn’t “know” to forward ssh traffic on
> port 22 to the serverbox such traffic would effectively go nowhere and
> be rejected by the router. Am I misunderstanding how the the router
> handles that traffic, what you’re saying or both?
>
>
> ab@novell.com;2046167 Wrote:
>> In the case of needing access remotely you could probably do so by
>> enabling remote access on your desktop and then VPN-ing into your
>> network
>> without making any SSH or SSH server configuration changes.
>>
> Ah, good information, I’ll keep that in mind for future reference.
>
> Thanks for all the good information.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJKxQJJAAoJEF+XTK08PnB5LYMP/0Qp2zdcTYDYpMWEA5xO9Fli
ow9n+P7lg88hRS2xvXstkTi/kiGmjpv8CcO4KUOcoSJPfaeo8Ztjav+Qoe4pTzmy
H61C61BgoJRUW0LJ9RMvDJ4ZzfWGB5vGFGCUGa+LY8kkkWhEPy5awEvOYjeUxbc9
2iQYf/n9U8APzbWrtWUlsyZEcm2W9QMPbwCN3Fw/KC/x5OIu/5ElFDw0jeY/iAI3
DtmfxkpurwUiorUbaYdMZu7UNKWK261M2L4AUV9q7L73ZIpzP6+CzvxyRnd4Mj33
HqTNoSBKlM+mSPvmvb+Q33jOvxJTRk34XaJpFOrFNXFr6by0zafb9x9hXOyLMJO2
XbzYqsZ0T5OtzC5hYudXvj0pNs007wFSx8mLTZny/SNWAQ+85gPcjHbOn8mpLiHY
YssBihMQVQVbkMOxEaohEAwNMM1W6T5cH7BhT8I2EXg1MSgBgJ+fl1uYNYNo+day
RTt6ICamgSqDlrec1wdIlqlEBQ9cGM6SqGNFWb5Oy+72gGRtloHexbNV/FFRv/zE
4NuLlLzSnSXh9apRLDii62+iyPLfk3bgQD/9GQr8yen8hWIikieTNEibLe9Vd3/p
L3hxof3n673/B7t+QHzjBNdPM0Vq9Gim1s1F2XhIfHYIXgGe7R1i8OGH7UXRW5Tj
Isme+qzxcWSzRAxqg3Us
=kit0
-----END PGP SIGNATURE-----

Understood, which is exactly why I’m taking this very slowly and trying to get a handle on each component that I’ll be adding before ever fully exposing the box to the web. I figured if I couldn’t even understand how to secure it for remote connection from my own network behind a router I’d better just stop there.

Okay I see thanks for clarifying.

Falco does a great job over at HowToForge, doesn’t he? I’ve used his “How-To’s” many times myself.

Another good one with a lot of OpenSUSE-specific info is by one of this forum’s regulars, Swerdna. Linux HOWTOs and Tutorials: Suse Linux 10.0, 10.1 openSUSE 10.2, 10.3, 11.0, 11.1

To protect against threats from inside my home network I have edited /etc/ssh/sshd_config to ensure only Protocol 2 is enabled, established a Public/Private key that requires a passcode to remotely log in, disabled root login, set PasswordAuthentication to no, limited MaxAuthTries to 3, and in /etc/hosts.allow limited the allowed hosts to one PC (mine) and added a deny all line as well.

That sounds pretty darned secure to me. :slight_smile:

My concern is regarding external web based threats since this will eventually be a web server. I have no intention, or foreseeable need, to log in remotely via SSH from outside my home network; thus will not forwarding the SSH port being used from my Router to the server box coupled with the already noted settings be sufficient to prevent SSH intrusion? I thought about changing the port but since I’m not even forwarding that port in my Router to connect from the web would it really be of any benefit to change the port?

In this case, since you don’t plan to expose the server to the Web via your router (I assume you’re talking about a “NAT” or “Port Forward” setting in the router that would send incoming packets to the server?), you should be fine.

However … I will say this. This is just my opinion, so take it for what it’s worth:

For publicly-exposed servers, I do change the ports whenever possible. That’s not always practical with a Web or mail server, obviously, because clients will expect to see those on the standard ports (25, 80, et. al.). But I DO change the ports on servers that should have very limited access.

Perfect example: we are required to expose VNC for some of our support services. When it was on the standard 5900-5910 port number(s), we were CONSTANTLY getting hammered by script kiddies. These kids use automated search bots to find common, open ports, and if you look intriguing enough, they’ll start trying to guess your password. I don’t care how good that password is, either, eventually, one of them could get lucky.

When we changed that to a non-standard port number (and notified our support people of the change, of course), our attacks dropped to zero. Nada. Zilch. So, it DOES make a difference to change ports in practice.

There’s a difference between theory and practice. In theory, there’s no way to truly secure your home against a thief. In practice, if you just keep a low profile (ie, “change the port”) and make it difficult enough to enter (ie, “use a good password”), the thief will normally give up and move on to the next home (he’ll skip you and try someone else!).

Likewise, while in theory, someone could still attack you if you don’t use port 22 for SSH, the odds drop dramatically. The cracker has only a 1 in 65535 chance of guessing the port number. He could run a “brute force” NMAP scan for open ports, but he’s only going to do that if he thinks you’re worth the bother, because a full-blown NMAP scan can take HOURS. Unless you are so intriguing and/or offer rewards that make such an effort worth it, he won’t even bother. His script will try port 22, if it sees no immediate response, it’ll move to the next IP address.

Theory vs. practice. I go with practice every time. :slight_smile:

And no, given what you described, I can’t think of anyway to make your SSH more secure. Now, when you install the Web server, just use common sense: use the latest version of Apache, keep it updated, etc., etc. But you’re smart enough to know that. :slight_smile:

PS - once you expose that Web server, it’s a judgement call as to whether you disable incoming pings (your router probably has a setting for that). But we’re really getting off-topic, now.

@ smpoole7 - Thanks for the info, I hadn’t really thought that far ahead yet, like I said one thing at a time :). And yes, the information available from the community is superb and always leaves me wondering what took me so long to ditch Windows.

I ought to be able to change the port for most everything since when I finally put this box on the web as a server the only thing joe public would need access to would be the Webpages themselves (no email or other functionality); not that there isn’t danger enough in that. What you say makes sense but are things the person doing this for the first time may not consider so the advice is appreciated and I will take heed of it.

Thanks.