User avatar
TideMan
Posts: 271
Joined: Fri Jun 22, 2012 8:08 am
Location: ChCh, NZ

SSH Security

Mon Oct 01, 2012 2:00 am

My project over the weekend was to log in to a RPi working at home from a Linux m/c at our beach cottage.
Once I enabled port forwarding for the RPi on the router at home, all I had to do from the bach was:
ssh pi@StaticIPAddress
and I was in!!

That's great, but it wasn't even a serious challenge, and if a rank novice such as myself can do this in 5 min, what about all the bad people out there? And once they get into my RPi, they have access to all the rest of my LAN. Subsequently, I've changed the port from the default (22) to another number, but this whole thing seems very insecure.

Comments?
If you wish in this world to advance, your merits you're bound to enhance.
You must stir it and stump it and blow your own trumpet, or trust me you haven't a chance.
Ruddigore, G&S

User avatar
redhawk
Posts: 3465
Joined: Sun Mar 04, 2012 2:13 pm
Location: ::1

Re: SSH Security

Mon Oct 01, 2012 3:08 am

Exploits involving the ssh logins has been mentioned before and options discussed regarding adding security.
However this really only an issue for PI's who are exposed to the outside internet i.e. router set with port forwarding for tcp 22.

Changing the port number is a good idea but it would also be prudent to change the password for username pi since most of the Linux distros use the same password.
Perhaps in future Raspian's first run setup raspi-config should force people to change the default password.

Richard S.

User avatar
malakai
Posts: 1382
Joined: Sat Sep 15, 2012 10:35 am
Contact: Website

Re: SSH Security

Mon Oct 01, 2012 3:19 am

As it's intended for education I don't see much happening to change this.

You may also want to create a different user and give it the same rights as pi then remove pi all together.

Making it more secure also makes it more difficult for a typical user to get up and running being able to ssh in easily helps those that aren't very computer savvy or just don't have a need for it.
http://www.raspians.com - always looking for content feel free to ask to have it posted. Or sign up and message me to become a contributor to the site. Raspians is not affiliated with the Raspberry Pi Foundation. (RPi's + You = Raspians)

User avatar
pluggy
Posts: 3635
Joined: Thu May 31, 2012 3:52 pm
Location: Barnoldswick, Lancashire,UK
Contact: Website

Re: SSH Security

Mon Oct 01, 2012 9:17 am

If you have an internet facing SSH system, you will get kiddie scripts (and sometimes even human beings) trying to get in. Many ways around it, simplest first - change the passwords. You could consider selective firewalling the Pi, disabling password logins to SSH altogether and just use key login, port knocking or changing the default port. I have one, its still on port 22, still has passwords enabled, but its firewalled out to all but a select group of IP addresses that I want to access it from. One or two of them are fairly wide groups to allow a whole ISP to get in (to allow for dynamic IP addresses), but since Russia and China aren't among them I don't get any attempts these days.....

National stereotypes live on in pluggy-land :lol:
Don't judge Linux by the Pi.......
I must not tread on too many sacred cows......

User avatar
tedhale
Posts: 114
Joined: Thu Sep 20, 2012 4:52 pm
Location: Williamsburg, VA, USA
Contact: Website

Re: SSH Security

Mon Oct 01, 2012 1:59 pm

My home firewall is built on an Ubuntu Linux system and I have SSH enabled and fully exposed to the internet and I am not worried at all.
You are much safer using keys instead of passwords, but as long as you choose a strong password you are pretty safe.
Moving SSHD to a non standard port is also a help.
Also, make sure that root is dis-allowed logon remotely. This is usually set by default in the ssh config.

My system (Debian at the time) was hacked (several years ago there was an exploit in the underlying SSL library) but it caused no harm since there is nothing useful on that system.
I caught the hack within a day or two due to monitoring of my firewall logs and simply re-imaged the firewall (and then updated my software to remove the exploitable SSL)

Unless there is another exploit found in SSL or SSH, I would not worry too much about using it as long as you follow the precautions above.

BTW, one of my RasPis will become my new firewall in the next couple of months. I have gotten to like silent, fanless systems.
- Ted B. Hale
http://raspberrypihobbyist.blogspot.com

Return to “Beginners”