0

I'm not sure if this is the right place to ask.

My goal is to establish an external connection to my home server through ssh and tunnel some ports to the laptop. For this reason, I've exposed the SSH port through my router (random 5-digit port instead of 22), and set the following config:

  • Private key connections only (password connections turned off)
  • Allowing only one specific user in (with sudo rights) from known IP addresses. (Ideally I would love to somehow allow access from my mobile phone's hotspot, but it seems to change IP very often..)
  • Additionally, I'm thinking about creating a guest user with no sudo rights, which would be allowed from any IP. (This is in case I was trying to use the mobile hotspot). The guest would be enough for tunneling the ports, but would have no rights to files or anything otherwise.

Are these restrictions enough, or am I missing something important?

From what I've gathered, a better alternative would be to setup a VPN and connect to it instead, however, I'm not sure if it isn't a large overhead for just one user. Additionally, as I'm not an expert in this field, I feel that it would be much easier to leave something ill-configured by mistake due to the larger complexity of openvpn setup. While with sshd it seems straightforward.

EDIT: Additional idea regarding the 22 port: from what I understand, after changing the port to some random other, they can still be discovered by a thorough nmap scan - if that's the case, is it possible to spoof them? E.g., spawn some "honeypot" ssh ports that lead nowhere (or to some empty docker container?), essentially hiding the correct port that leads to the machine? If anything, one can open thousands of empty ports, that would respond to nmap scans.

runr
  • 103
  • 3
  • Similar to https://security.stackexchange.com/questions/233785/is-starting-an-aws-instance-with-only-ssh-to-port-22-significantly-insecure – mti2935 Aug 25 '20 at 11:50

2 Answers2

3

Changing your port number is not considered a security counter measurement, we call this security by obscurity.

If one would scan your IP address they will find out an SSH daemon is running on an alternative TCP port regardless.

Based on your edited question it appears you are concerned anyone finding the SSH daemon TCP listening port. If this is the case, I would recommend to implement port knocking.

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of predefined ports. It could be configured in a way where you have to execute a script that will connect to X amount of ports.

If the right sequence is received by the port knock daemon, it will open up your SSH port in the firewall for X amount of time. A regular port scan will not be able to detect the SSH daemon at this point.

Hardening your SSH daemon is always recommended as the 'default out of the box' configuration is still using weak key exchange algorithms and ciphers.

By using strong key exchange algorithms and ciphers, most automated attempts will (currently) fail because the client (attacker) can not negotiate on either one of the algorithms or ciphers.

You could consider using my hardened configuration located at: https://github.com/ITNerdbox/hardening-configurations/blob/master/sshd_config

It might require some tweaking on your part in order to meet your requirement(s).

Jeroen
  • 5,783
  • 2
  • 18
  • 26
  • 2
    I love when they edit the questions based on answers but don't give points for actual answers. Port knocking is actually a great idea. – nethero Aug 25 '20 at 15:57
  • @Jeroen thanks for the suggestions, will try out the ``knockd``, that looks like a good extra security layer. Since my home IP shouldn't be broadcasted, it may be just enough to avoid random attacks, coupled with the beefed-up sshd config. In your opinion, would this be a good overall solution for personal use, or would you also recommend setting up a some kind of a VPN instead? – runr Aug 25 '20 at 20:59
  • @Nutle Personally I think this solution is considered sufficient for home use. A VPN seems a bit overkill to me but it also depends on your requirements. If I had the need for this, I'd probably use a similar setup. – Jeroen Aug 25 '20 at 21:22
1

Opening any port on your router is very risky, and you should make sure that your router has no known issues that allow exploitation of such an open port. This would be my concern no. 1 before even thinking about the SSH and its configuration.

Additional security risk is actually the implementation of the SSH that you are running on your server and server itself.

As for the VPN, this is much better solution and it is not too difficult, requires some reading, but is 100% worth considering the added security and its support for things like the two factor authentication.

nethero
  • 482
  • 2
  • 6
  • The first paragraph seems like a misconception; enabling port forwarding to an internal host doesn't expose anything on the router itself – multithr3at3d Aug 25 '20 at 11:50
  • Except for some additional configuration options (like 2FA), doesn't setting up a VPN server requires exposing some ports for the connections aswell? If not, how do the client establish the connections, unless through some 3rd party provider? – runr Aug 25 '20 at 12:04
  • So first of all port forwarding is done by exposing a port on the router which is normally closed (you forward from open port to internal port). Your router is normally a stateful firewall that does not allow inbound connections, and only allows for the responding to user established sessions. The moment you run a server on your network you need an exposed port on your router if you want to connect to it from outside. Doesn't matter if the port is mapped or forwarded. There are many devices that allow for exploits on open ports and it is important to know if yours is one of those. – nethero Aug 25 '20 at 12:13
  • This is a valid point, will check on the device and the available firmware updates. It's tplink archer c7, not that old, but I think I've heard about various vulnerabilities for the tplinks before.. – runr Aug 25 '20 at 12:31
  • VPN does require open ports as well, this is why I list the router as first step. TPlink and D-Link are like a mine for vurneabilities. – nethero Aug 25 '20 at 14:07
  • @multithr3at3d I mean technically it exposes the router's logic that processes the port forwarding to external traffic. – user Aug 25 '20 at 14:38
  • @user exactly to my point... – nethero Aug 25 '20 at 15:53