User Tools

Site Tools


securing_remote_ssh_access

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
securing_remote_ssh_access [2013/01/05 00:36] – [Port 22] lonneysecuring_remote_ssh_access [2013/01/28 17:55] (current) 142.103.194.1
Line 1: Line 1:
-====== Securing Remote SSH Access ======+====== Securing Remote Secure Shell (SSHAccess ======
  
 If you need to login to your node using SSH remotely, the following will help you avoid unauthorized access to your node. If you need to login to your node using SSH remotely, the following will help you avoid unauthorized access to your node.
Line 7: Line 7:
 ===== Strong Passwords ===== ===== Strong Passwords =====
  
-Using strong passwords is a good idea, if you have trouble remembering strong passwords make a note of them in a notebook or other non-electronic form.+Using strong passwords is a good idea, if you have trouble remembering strong passwords make a note of them in a notebook or other non-electronic form, or in such a way as not to identify what it's for.
  
 [[http://onlinepasswordgenerator.com/|Online Password Generator]] [[http://onlinepasswordgenerator.com/|Online Password Generator]]
Line 15: Line 15:
 By default with SSH you can login directly using the root username and password. Since it is a given that every Linux and Unix system has a user called root, this is the obvious choice for an attacker to use and it gives them super user access with no further effort. By default with SSH you can login directly using the root username and password. Since it is a given that every Linux and Unix system has a user called root, this is the obvious choice for an attacker to use and it gives them super user access with no further effort.
  
-We can disable logging in directly as root via SSH, after this change you'll need to login as a standard user and if root privileges are needed issue ''su -'' followed by the root password. Once you have finished ''Ctrl D'' to exit back to the previous user. From the console - that is the keyboard and monitor connected to your node you can still login directly as root.+We can disable logging in directly as root via SSH, after this change you'll need to login as a standard user and if root privileges are needed issue ''su -'', you'll then be prompted for the root password. Once you have finished ''Ctrl D'' to exit back to the previous user. From the console - that is the keyboard and monitor connected to your nodeyou can still login directly as root.
  
   - As root edit ''/etc/ssh/sshd_config'', find and change the ''PermitRootLogin'' option to read ''PermitRootLogin no''. Save, and restart sshd with ''/etc/init.d/sshd restart''.   - As root edit ''/etc/ssh/sshd_config'', find and change the ''PermitRootLogin'' option to read ''PermitRootLogin no''. Save, and restart sshd with ''/etc/init.d/sshd restart''.
   - Now you can either set a password on the IRLP ''repeater'' user or add your own user account. To (re)set the repeater password as root issue the following command ''passwd repeater'' and follow the prompts. You will now use this username and password when using SSH to login.   - Now you can either set a password on the IRLP ''repeater'' user or add your own user account. To (re)set the repeater password as root issue the following command ''passwd repeater'' and follow the prompts. You will now use this username and password when using SSH to login.
 +  - If you are doing this change remotely, open another SSH session and test logging in as repeater or with your own user account, and switching to the root account before you close your current session. Otherwise you could potentially lock your self out of the system until you can gain access to the console to straighten things out.
  
-It is also a good practice to avoid using the root account unless you really need to, one typo can hose an entire system before you know it's happened.+It is also a good practice to avoid using the root account unless you really need to be the super user to do something, one typo can hose an entire system before you know it'even happened. I managed to wipe most of the file system on a Unix system once, luckily it was on a test system, and with the OS install CD and yesterdays backup tape in hand I had the system restored to its previous state with-in a couple hours. If you have no disaster recovery plan, you can spend hours or even days piecing a system back-together.
  
 ===== Port 22 ===== ===== Port 22 =====
Line 26: Line 27:
 The default SSH port 22 is where anything and everything will try when looking for Linux and Unix hosts to compromise.  The default SSH port 22 is where anything and everything will try when looking for Linux and Unix hosts to compromise. 
  
-If you currently have port 22 open to the world, as root ''tail -f /var/log/secure'' to see who passing by has been "knocking on your door". ''Ctrl C'' to exit.+If you currently have port 22 open to the world, as root ''tail -f /var/log/secure'' to see who passing by has been "knocking on your door", you'll more than likely see attempts scrolling by. ''Ctrl C'' to exit.
  
 Using a non-standard port will avoid most of the attention. In this example we'll use port 22500. Any high port number of your choice is generally OK. Using a non-standard port will avoid most of the attention. In this example we'll use port 22500. Any high port number of your choice is generally OK.
Line 32: Line 33:
 There are two ways of doing this: There are two ways of doing this:
  
-  - In some routers, the port forwarding configuration allows you to redirect target port. For example port 22500 externally can be mapped to port 22 internally to your IRLP system.+  - In some routers, the port forwarding configuration allows you to redirect target port. For example port 22500 externally can be mapped to port 22 internally to your IRLP system. 
   - If your router does not support redirecting the target port, the configuration of sshd can be changed to listen on a non-standard port. As root edit ''/etc/ssh/sshd_config'', find the line with ''Port 22   - If your router does not support redirecting the target port, the configuration of sshd can be changed to listen on a non-standard port. As root edit ''/etc/ssh/sshd_config'', find the line with ''Port 22
-'' and under it on a new line add ''Port 22500''. Save the file, and restart sshd ''/etc/init.d/sshd restart''Update the port forwarding configuration in your router to use the new port. If you are already forwarding 22, remember to remove it once you have tested connecting to the new port numberBy leaving ''Port 22'' enabled in sshd you can still use this port on your internal network for convenienceor you can take it out all together if you have no need for this.+'' and under it on a new line add ''Port 22500''. Save the file, and restart sshd ''/etc/init.d/sshd restart''Restarting sshd will not disconnect an existing session. 
 +  - In each case preserve the port 22 forwarding you may already have in place, and add an additional port forward for the new port and test it by updating the settings in your SSH client and open a new sessionOnce you're happy everything is working as expected you can remove or disable forwarding for port 22then check you can no longer connect on port 22 to be sure.
securing_remote_ssh_access.1357346204.txt.gz · Last modified: 2013/01/05 00:36 by lonney