Ogoshi
Posts: 45
Joined: Wed Dec 28, 2011 5:13 pm
Location: Southend-on-Sea, Essex, England

Opening SSH port on router - security issue?

Thu May 31, 2012 6:37 pm

I'm thinking of opening up port 22 on my router and forwarding to the pi so I can access it away from home, download stuff etc. so files are ready for when I need them. Just wondering what sort of security issues I would be letting myself in for?
If someone could/did get onto the pi then they could easily bounce of that to the rest of the LAN which is my main concern.

So I guess how safe/secure is it? Any precautions I should take?
Thanks

User avatar
RPiDevelopers
Posts: 9
Joined: Fri May 18, 2012 1:41 pm
Contact: Website

Re: Opening SSH port on router - security issue?

Thu May 31, 2012 6:42 pm

Well expect to receive some Brute Force attacks so I recommend you to use a good password, some software that blocks brute force attacks (failtoban), and lastly I recommend you to use another random port and forward that to the Pi to ensure maximum security.
RPiDevelopers
Forge site dedicated to the Raspberry Pi, powered by a state of the art CDN capable of supplying hundreds of downloads daily. Host your RPi Projects with us!

Hairlocks
Posts: 38
Joined: Sat Feb 11, 2012 9:35 pm

Re: Opening SSH port on router - security issue?

Thu May 31, 2012 7:52 pm

Even better, you can generate a private public key pair and restirict ssh to not allow passwords. You then need the private key with you to log in.

Ogoshi
Posts: 45
Joined: Wed Dec 28, 2011 5:13 pm
Location: Southend-on-Sea, Essex, England

Re: Opening SSH port on router - security issue?

Thu May 31, 2012 7:58 pm

Thanks for the replies, I'm new to linux (as if you never guessed!) so will research all the points, hopefully I can combine both!

nicknml
Posts: 192
Joined: Thu Mar 15, 2012 8:44 pm

Re: Opening SSH port on router - security issue?

Thu May 31, 2012 8:03 pm

In addition to the recommendation of using only key-based authentication would be to run it on a a port other than 22.

obarthelemy
Posts: 1399
Joined: Tue Aug 09, 2011 10:53 pm

Re: Opening SSH port on router - security issue?

Thu May 31, 2012 8:22 pm

First, the risk is lowish to start with, because there are very few Linux on ARM computers out there, and many vulernabilites are platform-specific. There are certainly Linux/ARM vulns, but hackers probably aren't bothering to try and exploit those.
This said, I would:
- not use a standard port
- use a key instead of a password
- put ssh on a schedule if you know when you'll want it beforehand
- fake the login message to mislead the snoopers

Hairlocks
Posts: 38
Joined: Sat Feb 11, 2012 9:35 pm

Re: Opening SSH port on router - security issue?

Thu May 31, 2012 9:05 pm

obarthelemy wrote:First, the risk is lowish to start with, because there are very few Linux on ARM computers out there, and many vulernabilites are platform-specific. There are certainly Linux/ARM vulns, but hackers probably aren't bothering to try and exploit those.
This said, I would:
- not use a standard port
- use a key instead of a password
- put ssh on a schedule if you know when you'll want it beforehand
- fake the login message to mislead the snoopers
The risk is actually quite high. Opening ssh with an easy username and password will be compromissed soon enough, just check your log files if you have ssh open to see bots trying to log in. I have been out to fix "slow" linux boxes that have been owned like this.

None of the advice in this thread (that you also repeat/confirm) would do anything to protect against vulernabilites with ssh itself. That requires updating openssh when security update have been made is the most realisitc thing you can do. ( I am assuming reading the source code to spot bugs is above your abiltiy.)

Hairlocks
Posts: 38
Joined: Sat Feb 11, 2012 9:35 pm

Re: Opening SSH port on router - security issue?

Thu May 31, 2012 9:17 pm

A quick check through the logs of a server at work has over 5000 failed password attempts in 1.5 days (mostly invalid usernames).

gweijers
Posts: 5
Joined: Thu Sep 15, 2011 3:55 am

Re: Opening SSH port on router - security issue?

Wed Jun 20, 2012 12:39 pm

I've been running an SSH server for years. You will see connection attempts. Using a random port number cuts down on those. To be safe make sure to not allow password or 'KeyboardInteractive' authentication, only public key. Also run the package updater once in a while.

I use a pfSense open source firewall as my router, which can log failed connection attempts and I see a regular stream of attempts, lots of them from the PRC, so it's necessary to pay attention. I'm now just allowing connections from the region where I live.

empire
Posts: 42
Joined: Thu Jun 14, 2012 2:00 pm

Re: Opening SSH port on router - security issue?

Thu Jun 21, 2012 11:28 am

I have set up my SSH with brute force protection set to scan for brute forcing every one minute (via cron).

I will be writing a guide on my blog for how to do it today :)
http://rpi-blog.com - Raspberry Pi guides, tips, tricks, and resources :-)

Pirx-Danford
Posts: 62
Joined: Thu Oct 06, 2011 2:05 pm

Re: Opening SSH port on router - security issue?

Thu Jun 21, 2012 12:05 pm

If you have a bit of time to dabble around maybe you want to try out port knocking.

There are several implementations, but I suggest this project as starting point:
http://www.zeroflux.org/projects/knock

shawnanastasio
Posts: 19
Joined: Mon May 28, 2012 7:44 pm

Re: Opening SSH port on router - security issue?

Thu Jun 21, 2012 6:48 pm

I just came across this thread, and didn't realize that this was much of a security issue. I currently have ssh running on my iMac (password authentication) and it has been running for years. Just today I checked the logs, and I saw a MASSIVE amount of failed login attempts. This is really starting to scare me. I am defiantly changing the port...

stevepdp
Posts: 285
Joined: Fri Oct 28, 2011 7:41 am

Re: Opening SSH port on router - security issue?

Tue Jun 26, 2012 11:27 am

I've recently been getting into this myself as I took advantage of Linode's free credit offer a week ago and set up an Ubuntu server on it.

Might I advise folks interested in Raspberry Pi security also read over some of Linode's documentation? It's pretty indepth, very easy to follow and the Debian/Ubuntu guides should apply nicely to the Pi too.
shawnanastasio wrote:This is really starting to scare me. I am defiantly changing the port...
That's a good idea, and it's kept my fail2ban logs down quite a bit since making the change.

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: Opening SSH port on router - security issue?

Tue Jun 26, 2012 11:57 am

While it is hard to argue against security (and the obvious extension that if "X amount" of security is good, then "X+1 amount" is better - and this shows, inductively, that you never have enough), I wish to point out that MS (of all people...!) have published a white paper that shows (convincingly in my opinion) that security is a net productivity loss. I.e., that the number of incidents (and the total cost of these incidents) is low enough that it doesn't justify the very real cost in time, complexity, and staff training that security procedures entail.

It (the white paper) is worth Googling for and taking a look at.
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

User avatar
hayesey
Posts: 78
Joined: Mon Nov 28, 2011 12:46 pm
Location: Manchester, England

Re: Opening SSH port on router - security issue?

Tue Jun 26, 2012 12:07 pm

If you are using Debian or Raspbian then simply:

Code: Select all

apt-get install denyhosts
and that'll install a package that will monitor ssh failed login attempts and block the source IP address.

User avatar
jojopi
Posts: 2998
Joined: Tue Oct 11, 2011 8:38 pm

Re: Opening SSH port on router - security issue?

Tue Jun 26, 2012 6:15 pm

I think that fail2ban, denyhosts, and numerous other workalikes are ill-conceived and do not increase security. They are easy to write, so everyone writes one and then wallows in a false sense of power.

They do not protect you against password brute-forcing; they only protect you against password brute-forcing by an adversary with limited IP resources (that is, with no botnet). They do not protect you at all against very weak or accidentally leaked passwords. Nor against any weaknesses in your SSH configuration. And they are potentially a denial-of-service vector as well.

They are (belatedly) effective against very ineffective attacks, but just moving SSH to a non-standard port seems to work better still.

I think most people would be better to restrict SSH access to specific netblocks, enforce good passwords, set up keys and disable password authentication, move SSH to another port, implement additional restrictions such as port-knocking or multi-factor authentication if they are really paranoid, (in roughly that order) and only then consider banning weak attackers if they are still present.

EdwinJ85
Posts: 263
Joined: Wed Feb 01, 2012 4:44 pm
Contact: Website

Re: Opening SSH port on router - security issue?

Tue Jul 31, 2012 1:02 pm

jojopi wrote:I think that fail2ban, denyhosts, and numerous other workalikes are ill-conceived and do not increase security. They are easy to write, so everyone writes one and then wallows in a false sense of power.

They do not protect you against password brute-forcing; they only protect you against password brute-forcing by an adversary with limited IP resources (that is, with no botnet). They do not protect you at all against very weak or accidentally leaked passwords. Nor against any weaknesses in your SSH configuration. And they are potentially a denial-of-service vector as well.

They are (belatedly) effective against very ineffective attacks, but just moving SSH to a non-standard port seems to work better still.

I think most people would be better to restrict SSH access to specific netblocks, enforce good passwords, set up keys and disable password authentication, move SSH to another port, implement additional restrictions such as port-knocking or multi-factor authentication if they are really paranoid, (in roughly that order) and only then consider banning weak attackers if they are still present.
Is they an easy way to set up key only authentication so that I can still use SFTP and SSH?

Thanks.
Hello!

bursar
Posts: 22
Joined: Thu Jul 19, 2012 10:53 am
Location: Cambridge, UK

Re: Opening SSH port on router - security issue?

Tue Jul 31, 2012 1:20 pm

It's fairly easy - if I can do it.... ;)

I documented the steps I took here: http://mmm-pi.co.uk/?page_id=80

You can ignore the bit at the beginning about configuring QEMU, as that was written whilst I was still emulating a Pi.
http://mmm-pi.co.uk - my adventures with a Pi

brentaar
Posts: 4
Joined: Mon Jul 30, 2012 11:06 pm

Re: Opening SSH port on router - security issue?

Tue Jul 31, 2012 4:53 pm

There have been a lot of things said that is advice on this topic, but one thing that is missing is to disallow Root login over SSH.

To do this change one line in the /etc/ssh/sshd_config
from

Code: Select all

PermitRootLogin yes

to

Code: Select all

PermitRootLogin no
Another thing to remember is that this is a home environment, not an enterprise system that needs to be withstand large threats and keep up time to 11 nines. Most of the scanners are just poking around and they usually go for the lowest hanging fruit, so if you can stop them from knocking they'll usually move on. If you are really concerned you'd implement an intrusion detection system.

To recap some some hi-lights
  • Use Public Key authentication (I prefer RSA keys with 4096 bits)
    Disable password authentication
    Disable Root login over ssh
    Change your ssh port (I think it doesn't do much, if they are after you then they will scan until the ssh port is found, but it will probably turn away some traffic)
    Have something to block failed attempts (I use sshblacklist, because it is pretty lightweight)
    Restrict the incoming IPs that can login to ssh (only allowing your countries IP blocks would probably be sufficient
*Don't forget residential IPs are subject to change, so having a dynamic DNS service is very handy.

DesignMongrel
Posts: 14
Joined: Tue Apr 22, 2014 6:16 pm

Re: Opening SSH port on router - security issue?

Tue Apr 29, 2014 6:06 pm

Another very useful post I see after carelessly exposing my RPi to the world.








That almost didn't come out right lol. Thanks for the useful information guys.

Return to “Networking and servers”

Who is online

Users browsing this forum: No registered users and 19 guests