How to set up web-facing ssh server securely?

[chevelleman71]

Here's what I have:

I have a small network at my office (3 workstations, 1 ubuntu desktop that I'm using as a file server). I'm using a WRT54G2 router for networking and internet connectivity.


Here's what I'm trying to accomplish:

I want to be able to access my little file server from home, across town. I think ssh might be the best way to go now.


What I don't know:

How do I set up the ssh server on my machine/network without compromising my network security and the security of my server?

Do I just set up port/ip forwarding on my router, install openssh, and that's it?

Help!
Thanks

Luke

[kelt65]

Here's what I have:

I have a small network at my office (3 workstations, 1 ubuntu desktop that I'm using as a file server). I'm using a WRT54G2 router for networking and internet connectivity.


Here's what I'm trying to accomplish:

I want to be able to access my little file server from home, across town. I think ssh might be the best way to go now.


What I don't know:

How do I set up the ssh server on my machine/network without compromising my network security and the security of my server?

Do I just set up port/ip forwarding on my router, install openssh, and that's it?

Help!
Thanks

Luke

More or less, that's all you have to do. However, it would be wise to set

PermitRootLogin no # from "yes" in /etc/ssh/sshd_config

And also restrict the networks that can connect in /etc/hosts.allow

[chevelleman71]

More or less, that's all you have to do. However, it would be wise to set

PermitRootLogin no # from "yes" in /etc/ssh/sshd_config

Ok, sounds great!

And also restrict the networks that can connect in /etc/hosts.allow

So... I would set up dyn-dns with my home dynamic ip then use that as the only allowed traffic source?

Also, would I want to set up some other kind of firewall(s) like an IP table to help keep things safe?


Thanks.

I know these are noob questions, but I learn alot from the answers here.

Luke

[cariboo]

If your office is behind a router, and you only have port 22 forwarded, you don't need another firewall. The only other thing you may want to look at is Denyhosts, it's in the repositories.

[oregonbob]

1) Simply install openssh on your ubuntu machine. Assign a static (fixed) IP address to your ubuntu.

2) Go into router admin, setup IP forwarding of port 22 to be directed to the IP address of your ubuntu machine. Even better you can assign a custom port such as any port over 1024 to be redirected to port 22 on your ubuntu. On my Linksys WRT54G port forwarding is under "Gaming and Applications"

3) Use good passwords. As stated above it is a good idea to use hosts.allow and hosts.deny to restrict who can access your machine. If you leave it open the kiddies will try to break in 24/7/365

4) If you want excellent GUI desktop access, try installing NXServer. You can download it from nomachine.com . Easy to install & config. It is the best remote access on the market and 2 user version is free.

Oops, I assume your office has a static external IP address. If it is dynamic, see if ISP will make it static or you can setup with a dynamic DNS service. Static is the way to go.

[FuturePilot]

3) Use good passwords.

Keys > passwords

My two pieces of advice:

1. Disable password auth completely and only use keys.
2. Use denyhosts or fail2ban.

[CharlesA]

Keys > passwords

My two pieces of advice:

1. Disable password auth completely and only use keys.
2. Use denyhosts or fail2ban.

Big +1 to that.

Personally, I just use key auth only and use iptables to ban ipaddresses that try to connect repeatedly within a specific time.

[Grenage]

I use a good password for my home machine - I can't be bothered with the hassle of a key. For work machines, I would definitely use a key.

[CharlesA]

I use a good password for my home machine - I can't be bothered with the hassle of a key. For work machines, I would definitely use a key.

As long as it's a non dictionary password with some special characters thrown in, it should be fine.

[HermanAB]

Howdy,

My tuppence worth:
I disable root login, set the server to use a non standard port for SSH and use very long semi-pronounceable passwords as well as keys.

So I don't disable password login, but I always use strong passwords. The SSH keys are used for automatic tasks like rsync backup scripts.