3
1
I think many people may be in my situation. I travel on business with a laptop. And I need secure access to files from the office (which in my case is my home).
The short version of my question:
How can I make SSH/SFTP really secure when only one person needs to connect to the server from one laptop? In this situation, what special steps would make it almost impossible for anyone else to get online access to the server?
A lot more details:
I use Ubuntu Linux on both my laptop (KDE) and my home/office server. Connectivity is not a problem. I can tether to my phone's connection if needed. I need access to a large number of files (around 300 GB). I don't need all of them at once, but I don't know in advance which files I might need. These files contain confidential client info and personal info such as credit card numbers, so they must be secure.
Given this, I don't want store all these files on Dropbox or Amazon AWS, or similar. I couldn't justify that cost anyway (Dropbox don't even publish prices for plans above 100 GB, and security is a concern). However, I am willing to spend some money on a proper solution. A VPN service, for example, might be part of the solution? Or other commercial services? I've heard about PogoPlug, but I don't know if there is a similar service that might address my security concerns?
I could copy all my files to my laptop because it has the space. But then I have to sync between my home computer and my laptop and I found in the past that I'm not very good about doing this. And if my laptop is lost or stolen, my data would be on it. The laptop drive is an SSD and encryption solutions for SSD drives are not good.
Therefore, it seems best to keep all my data on my Linux file server (which is safe at home).
Is that a reasonable conclusion, or is anything connected to the Internet such a risk that I should just copy the data to the laptop (and maybe replace the SSD with an HDD, which reduces battery life and performance)?
I view the risks of losing a laptop to be higher. I am not an obvious hacking target online. My home broadband is cable Internet, and it seems very reliable. So I want to know the best (reasonable) way to securely access my data (from my laptop) while on the road.
I only need to access it from this one computer, although I may connect from either my phone's 3G/4G or via WiFi or some client's broadband, etc. So I won't know in advance which IP address I'll have.
I am leaning toward a solution based on SSH and SFTP (or similar). SSH/SFTP would provided about all the functionality I anticipate needing. I would like to use SFTP and Dolphin to browse and download files. I'll use SSH and the terminal for anything else.
My Linux file server is set up with OpenSSH. I think I have SSH relatively secured. I'm using Denyhosts too. But I want to go several steps further. I want to get the chances that anyone can get into my server as close to zero as possible while still allowing me to get access from the road.
I'm not a sysadmin or programmer or real "superuser". I have to spend most of my time doing other things. I've heard about "port knocking" but I have never used it and I don't know how to implement it (although I'm willing to learn).
I have already read a number of articles with titles such as:
- Top 20 OpenSSH Server Best Security Practices
- 20 Linux Server Hardening Security Tips
- Debian Linux Stop SSH User Hacking / Cracking Attacks with DenyHosts Software
- more...
Those articles mention things like
- Use DenyHosts
- Set the AllowUsers option in /etc/ssh/sshd_config to allow only specific users to connect.
- Disable root logins via SSH.
- Use public key authentication and disallow password login
- and much more.
I am doing all the things above (and some more). But I have not implemented every single thing I've read about. I probably can't do that.
But maybe there is something even better I can do in my situation because I only need access from a single laptop. I'm just one user. My server does not need to be accessible to the general public. Given all these facts, I'm hoping I can get some suggestions here that are within my capability to implement and that leverage these facts to create a great deal better security than general purpose suggestions in the articles above.
One example is port knocking. This seems like a perfect fit for my situation. What else is there along these lines?
Teamviewer – Diogo – 2012-04-11T20:41:51.770
@Diogo Rocha - Teamviewer is not secure, it uses external servers to make the connection between the so called server and the clients. – None – 2012-04-11T20:46:51.607
@DiogoRocha - wow, interesting idea! I never even considered TeamViewer for this. I will look more into it. Is it really more secure than SSH? EDIT - never mind. I see from Radoo's reply that Team Viewer is not a good choice. – Ace Paus – 2012-04-11T20:46:58.367
@Ace Paus - TeamViewer is a VNC like software. I don't think you want a remote desktop connection. – None – 2012-04-11T21:07:51.380
What is wrong with SSH? – Canadian Luke – 2012-04-11T21:10:18.713
This doesn't address the authentication or server-hardening issues, but for convenience and to avoid storing files on your laptop, you should consider using sshfs to mount the directory on your server containing your data files. – garyjohn – 2012-04-11T21:10:54.777
@garyjohn -- SSHFS is the same as SFTP afaik. When I mentioned SFTP, I was referring to SSHFS. I may not be 100% correct, but I use the terms almost interchangeably. – Ace Paus – 2012-04-11T21:20:17.017
@Ace Paus: They may be similar under the hood, but the user interfaces are completely different. With sftp, you can copy files back and forth and do some file management as you can with an ftp client. With sshfs, you can mount a remote directory to your local file system and use your local tools on it just as though it was part of your local hard drive. I don't know what the performance is like over long distances--I've only used it within a single building. I certainly wouldn't execute
grep -R
on it. – garyjohn – 2012-04-11T22:42:57.827@garyjohn. You can do those things with SFTP. (It is not the same as FTPS.) SFTP is SSHFS, afaik. With SFTP I can use Dolphin file manager (for example) as though I was browsing local files. Performance is very good with SFTP (on a good connection). – Ace Paus – 2012-04-12T00:04:02.350