I am implementing a home alarm system with raspberry and I need to access it from the external network. The initial idea was to use cascade VPN and ssh (in my university to connect to the cluster I had to first connect to the University network and then use ssh). But if via VPN I connect to the raspberry address then I cannot give commands via ssh because I'm in 'local', no? ... So I should either use ssh more fail2ban or use VPN. But could I be calm with one of these two methods? Can I use ACL somewhere? It would not be nice if someone could open the gate or access the cameras...
-
Welcome to the site. Could you explain why this is security related? It seems to me, that this is rather a question about setting up and controlling a raspberry. – Tom K. Sep 12 '18 at 12:29
-
Hi, it's not a problem of how to control the raspberry. I can choose the way to control Raspberry. My problem is to create an architecture that is not vulnerable to attack ... – dang92 Sep 12 '18 at 12:58
1 Answers
I will assume you mentioned a university as a point of the environment and are not considering censorship. But an OpenSSH server will work well here. While not advisable I assume you will use the root
user, do ensure a respectable password is used, this goes for any user allowed for SSH login. If concerns that password authentication (interactive-keyboard) is not for you, look at public key authentication, using ED25519 521-bits or RSA 4096-bits.
Regarding /etc/ssh/sshd_config
harden the following:
Port 30000
LogLevel VERBOSE
LoginGraceTime 120
PermitRootLogin yes
PermitEmptyPasswords no
# Ideal session timeout
ClientAliveInterval 600
ClientAliveCountMax 0
# Enhanced Authentication
KexAlgorithms diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521
Ciphers aes256-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256
AllowUsers root
I make a point to mention, CTR is preferred over CBC for OpenSSH exclusive, see: 'Plaintext Recovery Attacks Against SSH'. The port used for the SSH is your choice if exposed to the Internet use a non-standard port, because of botnets.
Fail2Ban is a viable choice for brute force protection. Consider the following configuration:
[ssh]
enabled = true
filter = sshd
port = 3000
bantime = 600
findtime = 120
maxretry = 5
logpath = /var/log/auth.log
Of course adjust based on your needs, as I long bantimes can be a problem if you accidentally lock yourself out. Furthermore, I would advise keeping Fail2Ban enabled if public key authentication is enabled. As it will reduce traffic in the event of a botnet brute force, and hence CPU consumption.
Test your configuration with $ hydra -l root -P /root/rockyou.txt 192.168.1.100 -t 4 ssh
where rockyou.txt
is a wordlist. This is to ensure brute force protection is working properly. You can generate a wordlist with john
or crunch
or download one. Also, using nmap
ensure the only open ports are those you desire to be exposed to your network interface.
While I won't expand on it, OpenVPN is another viable option, but I only consider this over SSH when I need censorship circumvention.
- 1,827
- 8
- 18
-
Thanks for your esaustive reply. I'm not Expert about openssh. Can it be configured to use esclusively certificates without password? And if so, is it a better solution? – dang92 Sep 12 '18 at 12:55
-
By certificate, I presume you are referring to a PKI, unfortunately, OpenSSH does not support X.509 officially. However, you can use public key authentication instead. This works by pre-authorising each machine's public key you are going to log in from. The user public key pair is often stored ~/.ssh/. You copy the public key onto your OpenSSH server and only *authorized keys* are authenticated on the server. The client will be expected to authenticate with the corresponding private key each login, this proves ownership. Public key authentication is the best for security, but not convenient. – safesploit Sep 12 '18 at 14:55
-
So i can use esclusively private key and avoid brute Force attack or the System asks password if no key is detected ? Thanks – dang92 Sep 12 '18 at 15:15
-
OpenSSH uses PAM. Hence, it supports single or multi-factor authentication. If you only want public key authentication without interactive-keyboard that is completely possible. You will never prevent a brute force attack, but rather mitigate it from happening. How viable is it using interactive-keyboard with an 80-bit password V. an RSA 4096-bit key-pair, then factor in the firewall restricting brute forcing to 5 attempts every 600 seconds? I am not saying when using Fail2Ban interactive-keyboard (password) is bad, it works well with a strong password, but public key authentication is better. – safesploit Sep 12 '18 at 15:30
-
Never enter any password you intend to use into an online service, but uses these to better understand strong password generation and entropy: [The Password Meter](http://www.passwordmeter.com/) and [Cygnius Password Strength Test](https://apps.cygnius.net/passtest/). Opinion varies about what a strong password is, so I will be simple, use alphanumeric (lower case, upper case and numeric values) with special characters, with a length of 15-32 characters. – safesploit Sep 12 '18 at 15:38