Page 1 of 1

SSH and webserver over Internet. Is my setup vulnearable?

Posted: Thu Nov 29, 2012 8:19 am
by sim_tcr
Hello,

After bit of research I was able to setup SSH over internet and also a webserver with no-ip. Below is my setup.

My ISP provides dynamic ip only. So I decided to register an account with no-ip.org and also registered a hostname with them.
Installed no-ip agent on the raspberry pi and set the interval as 30 (don't know if its minutes or seconds).
Installed Apache.
On the Router I forwarded port 22 (for ssh) and 80 (for webserver) with my raspberry pi's LAN static ip.
Now i am able to launch my website <site>.no-ip.org and ssh in to <site>.no-ip.org from external network.

I have set up key based authentication.
I have modified /etc/ssh/sshd_config and made 'PasswordAuthentication no'
I have setup a banner for ssh.
Changed pi and root account passwords to something complex (no dictionary work, include numeric and capitals)

With above setup is my pi and LAN reasonably secure?

Thanks,
Simon Mandy

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Thu Nov 29, 2012 8:33 am
by Heater
Sounds like you have done the best you can with SSH.

Now the next thing to worry about is Apache.

Serving up static web pages is perhaps safe as houses. Except perhaps if you inadvertently allow apache to server all and every file on the machine.

If you get into server side scripting and user logins and so on and so on then you have to worry about how safe all that is.

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Thu Nov 29, 2012 8:36 am
by adlambert
Security is always a balance between admin overhead and the sensitivity/value of what you are trying to protect. If you are protecting a hobbyist Pi setup then you I would say you have done sufficient, as long as your SD image is backed up for rapid replacement in the event that someone decides to do damage out of spite. If, on the other hand, you were holding (hypothetically) credit card details then you are unlikely get far up the PCI DSS requirements.

I have a PI and tightVNCServer with VNC tunnelled over SSH, and more than once there has been attempts to connect to VNC by brute force attack (VNC stops accepting login attempts until rebooted). I've done no more than you to harden, and there have been no successful attacks.

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Thu Nov 29, 2012 8:43 am
by joan
You are now probably more secure than most UK government departments. Remember to keep your software updated (so that security patches are applied in a timely fashion).

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Thu Nov 29, 2012 9:47 am
by 999frogs
Many security guides advise changing the ssh port from 22 to something non standard

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Thu Nov 29, 2012 10:32 am
by sim_tcr
999frogs wrote:Many security guides advise changing the ssh port from 22 to something non standard
I read about that a lot in the forum.
If i change the port from 22 how do I connect using putty? Put the hostname and mention the port in the next tab?
Can someone here tell me how to change the port? Is it again through /etc/ssh/sshd_config?
What other port i can use?
How can I know if that port is not utilized by some other applications in my LAN or other systems?

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Thu Nov 29, 2012 10:48 am
by adlambert
You can detect what ports are in use by using the netstat command, and just pick an unused one that isn't usually part of a standard service.

Putty has a box to configure a port number when you set up the basic session options.

I haven't bothered to change from port 22 because even the most inexperienced hacker will find where SSH is using nmap.

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Thu Nov 29, 2012 10:52 am
by ghans
I believe it simply stops bots , which are a major nuisiance.
I don't think that there is anything which stops a targeted attack backed by enough money , knowledge and time.


ghans

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Thu Nov 29, 2012 11:02 am
by sim_tcr
ghans wrote:I believe it simply stops bots , which are a major nuisiance.
I don't think that there is anything which stops a targeted attack backed by enough money , knowledge and time.


ghans
In my /var/log/auth.log I see so many attempts to connect using random usernames from same ip adress or from the same pool.
Is that done using bots?
Will that get reduced if I change the port?
Again is ssh port changed through /etc/ssh/sshd_config?
Also by looking at the auth.log is there a way we can check if one of the attempt was successfull or not?

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Thu Nov 29, 2012 11:07 am
by ghans
Yes, yes, try man sshd.conf at the terminal , yes something like "bye" directly after trying to log in.

ghans

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Thu Nov 29, 2012 12:21 pm
by adlambert
cat auth.log | grep 'Accepted'

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Thu Nov 29, 2012 12:59 pm
by sim_tcr
I changed by port to something random, I will monitor auth.log for any more attempts.

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Fri Nov 30, 2012 3:50 am
by Maine_guy
Try

Code: Select all

man last

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Fri Nov 30, 2012 2:39 pm
by sim_tcr
There is a small issue.
As described in the beginning, I have no-ip agent running on my pi and in my router I have forwarded port 80 of my pi's static LAN ip. Also have Apache running on pi on port 80.

Issue, is from my LAN if I try to access my <hostname>.no-ip.org I get my router login page. From outside my LAN <hostname>.no-ip.org works and land on my index.html which is on my pi.

Any thoughts?

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Fri Nov 30, 2012 2:55 pm
by Dweeber
On your workstation create an entry in it's hosts file for the hostname and point it to the local IP

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Fri Nov 30, 2012 3:02 pm
by sim_tcr
Dweeber wrote:On your workstation create an entry in it's hosts file for the hostname and point it to the local IP
I was thinking about changing the port of Apache to 8081 and forward that port in router. Will that fix the issue?

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Sat Dec 01, 2012 1:35 am
by Mursili
I am not sure which issue you are working to fix at this time.

It has been a while, but I completely cut out failed authentication attempts when I switched the ssh port to 443 (which is normally used for https). When my sshd was listening on port 22 I got several attempts a day. I have a friend that said that he once could not get to his machine on port 443 from some hotels when he was traveling, but I have not encountered that (then again, I have not tried too many times).

Using another port for your web server will make it more difficult to connect to the server. I suppose it depends on who you want looking at the pages that you host there. It would simply take including the port in the link to your site. I have little knowledge about the security of web servers and instead serve any pages that I need using Google APIs (which costs a little bit monthly).

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Sat Dec 01, 2012 2:30 am
by sim_tcr
Mursili wrote:I am not sure which issue you are working to fix at this time.

It has been a while, but I completely cut out failed authentication attempts when I switched the ssh port to 443 (which is normally used for https). When my sshd was listening on port 22 I got several attempts a day. I have a friend that said that he once could not get to his machine on port 443 from some hotels when he was traveling, but I have not encountered that (then again, I have not tried too many times).

Using another port for your web server will make it more difficult to connect to the server. I suppose it depends on who you want looking at the pages that you host there. It would simply take including the port in the link to your site. I have little knowledge about the security of web servers and instead serve any pages that I need using Google APIs (which costs a little bit monthly).
Even I don't face any remote attempts (not even a single attempt) to connect my pi via ssh after I changed my ssh to a random port.

What I am trying to fix here is, when I try to launch my website (which is hosted on my pi) from my LAN, I see my router's login page. From outside my LAN, it work well.

Re: SSH and webserver over Internet. Is my setup vulnearable

Posted: Sat Dec 01, 2012 4:28 am
by Dweeber
sim_tcr wrote: What I am trying to fix here is, when I try to launch my website (which is hosted on my pi) from my LAN, I see my router's login page. From outside my LAN, it work well.
Again... the easiest solution for that is a simple hosts file entry. You point it to the IP of the pi. when you use your web browser using the hostname that outside users would use, it tells your browser to use that IP instead. Uses the same port etc...

Example on my workstation:

Code: Select all

192.168.1.146	rpi.no-ip.org
On the workstation when I use http://rpi.no-ip.org the browser goes to 192.168.1.146 instead of whatever the DNS for it is outside the network.

Obviously you change the hostname to be that of what you are using. I don't use the no-ip service personally, but it doesn't matter what you are using.