Basic SSH Security

Josh Rollins
Jul 28, 2019 · 5 min read

They say a picture is worth a thousand words:

This is my SSH server’s log, and this looks like a good time to talk about basic ssh server security.

Let’s back up just a bit for the whys and hows.

To access my personal org files from work (my journal for example), I use TRAMP with SSH. Why SSH? It’s rudimentary, supported out of the box, and relatively private. My work and personal tasks meet in my agenda, but I like to keep my personal resources away from work computers just as I prefer to keep work material away from my personal machine. So, I need to have an SSH server up and running. My setup includes a Raspberry Pi (cheap, reliable, good single-function device) as an SSH server and Syncthing hub and a router that has port-forwarding to allow incoming SSH connections.

Even though I used a different port than the default 22, it was easy enough for the script kiddie in the picture above to find and identify. This is not hard to do; all you need is nmap. In this case, it seems some of the IPs belong to an Amazon server in the Philippines, so it looks like this particular individual uses an automated environment to find and exploit unprotected users. So far, this sounds like a classic scenario.

I set down and decided to implement some basic security configurations I’ve should have had in place since day one. None of these are ground-breaking security, and I’m not an expert myself, but these are probably a good start.

My Setup

These configurations are available inside /etc/ssh/sshd_config. I'm using OpenSSH server. If you're using my configurations, remember to delete the "#" at the start of these lines, as they are marked as comments by default.

Restricting to certain IPs only

In additions to these, I also restricted the allowed IP range as mentioned above. To do that we’re using two files, /etc/hosts.deny and /etc/hosts.allow. This is discussed here, in option 2 (TCP wrappers). The system described here did not work for me as explained, and after reading into the instructions in the files themselves, I got it to work as follows:

In the deny file, we add the line sshd: ALL EXCEPT xxx.xxx. where the xxx is the first and second octet of the IP address we want to allow. This is usually good enough to include all IPs from a certain place, but YMMV. In my case, this range specifies a specific office floor in my work site (which is fairly large), which restricts access only to my office floor area. When I tested the connection from my Android, I could not connect using my carrier but I could connect from work since that's the IP address I specified. This is an awesome technique.

Again, this works for me but may not work for you. For one, you might be using a laptop for work and have a wider range of IPs as you move around. For this, I would consider using the laptop itself to store the files and sync with Syncthing. You may also decide to use one machine, in which case you might want to allow all IPs, but use a PGP key, which is much longer to guess than a password and will automatically reject connections trying to guess a password. This is a preferred method to what I use, try to implement it first if you can.

Originally published at https://joshrollinswrites.com on July 28, 2019.

Liked what you read here? Want to read some more? Follow Josh Rollins at joshrollinswrites.com to learn more about me and my tech adventures.

Emacs

Starting on a new quest…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store