Find the answer to your Linux question:
Page 1 of 4 1 2 3 4 LastLast
Results 1 to 10 of 33
Hi Guys, I'd like to start my own ssh server so I can log into my home computer from work, and I've just started reading around about it. It seems ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414

    My own ssh server


    Hi Guys,
    I'd like to start my own ssh server so I can log into my home computer from work, and I've just started reading around about it. It seems like it *should* be relatively easy, but I was just wondering if any of you have any security advice, or tips on the best way to set it up for ease of use AND security.

    Thanks.
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  2. #2
    Linux Guru
    Join Date
    Nov 2004
    Posts
    6,110
    Best thing to do is run it on a non standard port. Mine is up in the 57xxx's. Have you got your DNS sorted out?

    A word of adivce, if your work has a firewall chances are that most ports are locked down. If you do have permission to contact your own machine, i.e. it's not forbidden in work you might consider using port 443 as it is the SSL port and is open on almost all systems. Port 80 will already be bound to web traffic.

    Do you intend using X forwarding? Whatever you do don't allow root logins, and if you do want X forwarding you'll need an X environment at work. Either a Linux/Unix box or Windows with Cygwin/Reflections X/Exceed installed on it.

  3. #3
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    Thanks bigtom. That sounds like pretty good advice.

    I work in a pretty big high-energy physics lab, and people here use ssh to log into other labs worldwide, so there's no problem in SSH'ing to another machine. Especially as it is purely for work purposes.

    I don't think I'll need to setup X forwarding, as I'll be happy enough with just a command-line, although it might be something to think about in the future.

    I can't see any good reason for me to allow root logins! I take it that it's possible to su to root once I'm logged in?
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  4. #4
    Linux Guru
    Join Date
    Nov 2004
    Posts
    6,110
    Yeah that's no problem to use su. Sorry I was probably stating the obvious there , just seems to be said automatically. It's kinda like in your driving test adding "and proceed with caution" to the end of every answer you give

    Did you get your DNS sorted? I used to run DynDNS on my old router, I have the client running as a system service now. It's great being able to contact your machine from anywhere.

  5. #5
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    Quote Originally Posted by bigtomrodney
    Yeah that's no problem to use su. Sorry I was probably stating the obvious there , just seems to be said automatically. It's kinda like in your driving test adding "and proceed with caution" to the end of every answer you give
    "Check your mirrors, signal your intent to maneuver, begin the SSH daemon, and proceed with caution"

    It seemed obvious to me, but it may not be to others reading this thread, so it can't hurt to mention it.

    Quote Originally Posted by bigtomrodney
    Did you get your DNS sorted? I used to run DynDNS on my old router, I have the client running as a system service now. It's great being able to contact your machine from anywhere.
    You mean to get around the problem of my IP address changing? I knew that would be a problem, but I was thinking of trying to get my computer to automatically write a file containing the output of "ifconfig" to my work computer. I'm not sure if this solution is too cheesy, or if it will even work -- for example, what would happen if my IP address changed in the middle of an SSH session?

    I'll have a look at DynDNS. Thanks for the tip
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  6. #6
    Linux Guru
    Join Date
    Nov 2004
    Posts
    6,110
    I've often wondered about that. I really should know, I worked in a LAN team for over two years. That sounds like a crafty workaround. Dynamic DNS with dyndns.org/noip.com/whoever is pretty cool though. You will be able to use it anywhere which is good. And if your machine will be on all the time you may be able to use it for other things too like running your own mailserver etc. If you have a router/LAN at home you can have different ports forwarded to different machines. For example, you can use yout IP address/DNS point on one port to your linux ssh server, but a different port might allow you to get to a share from another PC.

    This all gets pretty interesting now. I'm constantly coming up with new mischief since I got remote access to my machine.

  7. #7
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    Quote Originally Posted by bigtomrodney
    This all gets pretty interesting now. I'm constantly coming up with new mischief since I got remote access to my machine.
    I know what you mean. When I got out of bed this morning I'd decided that I'd like to be able to access my computer remotely to run matlab code -- now I'm thinking that it might be fun to set up my own website!

    DynDNS/NoIP look pretty cool, but are there any security implications from using them? For example, they both provide lists of domain names you can use -- so are these domain names targeted more than others by crackers/script-kiddies since they are more likely to be set up by someone (like me) who is not as good at security as a large company?

    I take it DynDNS, etc. leave the security of your system up to you?
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  8. #8
    Linux Guru
    Join Date
    Nov 2004
    Posts
    6,110
    The security is your own. I was targetted a lot with SSH running on default ports, but that was even before I had a DNS address. I can't say that it increased, but I can't really deny it either. I was used to seeing a huge amount of script attacks. As soon as I changed port I stopped seeing them. I use SUSEfirewall and also the NAT on my router is only set to forward a few ports, SSH, vnc,bittorrent etc. I'm pretty much off the radar for a normal cracker/script but it wouldn't be impossible. I guess just pluggin the few obvious holes is enough to kill 99% of attacks.

  9. #9
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    Thanks a lot for your advice. I really appreciate you taking the time to answer my questions.

    If I go for the default ports, etc. I can expect to see a lot of wee f&*kers attacking me with scripts, but if I use a non-standard port, plus the SUSE firewall, then attacks will be few and far between?

    I won't have a router between me and the internet (only my DSL box), but I guess very strict firewall settings in SUSE should be enough to keep people out. If I use a non-standard port, then does that mean that configuring the firewall through the GUI to let SSH traffic through will no longer work? Will I have to edit iptables directly?
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  10. #10
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Five simple steps to lock down sshd for your situation:
    1. Tell iptables to accept incoming connections to your sshd only from your work IP (or work subnet, if necessary).
    2. Only allow ssh protocol 2 in /etc/ssh/sshd_config.
    3. Do not permit root login in /etc/ssh/sshd_config.
    4. Allow only pubkey authentication in /etc/ssh/sshd_config (you'll need to set up your keys appropriately).
    5. Keep your sshd software up to date.

Page 1 of 4 1 2 3 4 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •