Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




4127 posts

Uber Geek


# 243104 27-Nov-2018 08:03
Send private message

I think I know the answer, but wanted some people's opinions.

 

I'm using rsync to transfer a directory from a bunch of remote machines, to a server (Debian 9) on our network as a basic form of backup.

 

SSH is on a non-standard port, and locked down to the subnet the remote machines are on. Authentication is done with a certificate, for a non-root user, who also doesn't have sudo privileges - just read/write to the directory it the remote machines rsync to.

 

Have I done everything I should?


Create new topic
1005 posts

Uber Geek

Trusted

  # 2135004 27-Nov-2018 08:07
2 people support this post
Send private message

Ideally you would have a VPN between the machines and not expose ssh to the internet (even if it is firewalled off to specific subnets). 

 

Is this automated? if not you could add 2fa to the logon otherwise the only other thing would be using a certificate with a password so that if the cert is ever copied they still can't login.




4127 posts

Uber Geek


  # 2135009 27-Nov-2018 08:44
Send private message

Andib:

 

Ideally you would have a VPN between the machines and not expose ssh to the internet (even if it is firewalled off to specific subnets). 

 

Is this automated? if not you could add 2fa to the logon otherwise the only other thing would be using a certificate with a password so that if the cert is ever copied they still can't login.

 

 

Yep fully agree that a VPN would be a better solution. The only reason it's done over public internet is we don't run the router in all these locations, and I don't want to go too "non-standard" on the remote servers and install extra packages for VPN (they are phone systems installed from a custom image).

 

It's done with a super simple bash script (just sets variables, and runs a single rsync command) and on a cron job so 2FA not an option.

 

This way I have a very simple process for installing new systems that the guys can follow to "install" the shell script.

 

Should add too - fail2ban runs on the server with SSH exposed and blocks the IP after three attempts. I also run a logging rule on the firewall to log all IP's that hit the exposed SSH port. I can take that further and ban at that level too.


 
 
 
 


6835 posts

Uber Geek

Trusted
Subscriber

  # 2135011 27-Nov-2018 08:45
One person supports this post
Send private message

I personally would also put on fail2ban. You could use a VPN, but in essence you still have just about as much exposed potential as an SSH interface.

 

Cyril


341 posts

Ultimate Geek

Trusted

  # 2135015 27-Nov-2018 08:50
One person supports this post
Send private message

If you have a static ip you can lock the port down to only that ip


6835 posts

Uber Geek

Trusted
Subscriber

  # 2135020 27-Nov-2018 09:00
Send private message

You have pipped my interest, 2fa would not be too hard to do.

 

Cyril


826 posts

Ultimate Geek


  # 2135023 27-Nov-2018 09:06
Send private message

You haven't explicitly mentioned it, but I would disable root logins via SSH.

 

PermitRootLogin no

 

I would also disable port forwarding for backup users.

 

AllowTcpForwarding no

 

If you could avoid rsync which requires shell access, and just use SFTP, you could further restrict SSH to providing SFTP only to those users.

 

 




4127 posts

Uber Geek


  # 2135032 27-Nov-2018 09:20
Send private message

SirHumphreyAppleby:

 

You haven't explicitly mentioned it, but I would disable root logins via SSH.

 

PermitRootLogin no

 

I would also disable port forwarding for backup users.

 

AllowTcpForwarding no

 

If you could avoid rsync which requires shell access, and just use SFTP, you could further restrict SSH to providing SFTP only to those users.

 

 

Yep both of those are certainly set.

 

Thought of FTP, but then I will need a client on the remote machines right. Will see what's included with the standard build. 


 
 
 
 


826 posts

Ultimate Geek


  # 2135065 27-Nov-2018 09:25
Send private message

chevrolux:

 

Thought of FTP, but then I will need a client on the remote machines right. Will see what's included with the standard build. 

 

 

SFTP is SSH File Transfer Protocol, which is a different protocol from FTP. It only requires a SSH connection.

 

If your clients can use SSH, they should be able to use SFTP.


6835 posts

Uber Geek

Trusted
Subscriber

  # 2135071 27-Nov-2018 09:31
One person supports this post
Send private message

I would assume its just plain old openssh you have installed, if so SFTP is already there

 

Cyril


2779 posts

Uber Geek

Trusted
Lifetime subscriber

  # 2135098 27-Nov-2018 10:18
Send private message

I would also add:

 

 

 

RhostsRSAAuthentication no

 

HostbasedAuthentication no

 

PermitEmptyPasswords no

 

PasswordAuthentication no

 

 

 

As then you can ONLY login using a Public/Private Key pair. I assume you would have another path to access the box should you loose the key but I always disable PasswordAuthentication.

 

Plus keep your boxes regularly patched.

 

If you wanted to take it up to the next level you can use Yubikeys with SSL Certificates and then if you are running Windows for your client you can use "putty-cac" which allows you to do authentication based on a certificate in a hardware token.






436 posts

Ultimate Geek
Inactive user


  # 2135161 27-Nov-2018 11:40
Send private message

After that libssh auth bug last month I'd be wary of exposing it to the net.


6835 posts

Uber Geek

Trusted
Subscriber

  # 2135165 27-Nov-2018 11:49
Send private message

vulcannz:

 

After that libssh auth bug last month I'd be wary of exposing it to the net.

 

 

True, but OpenSSH is not shown to use the same code so not expected to be similarly exposed.

 

Cyril




4127 posts

Uber Geek


  # 2136112 28-Nov-2018 16:27
Send private message

Cheers team!

 

Will implement those config changes as per @BarTender right away - because yea, I can just use the VM console if I really have to.

 

But will also look at moving to SFTP - just need to search up sync'ing directories which rsync does so exceptionally well.


2779 posts

Uber Geek

Trusted
Lifetime subscriber

  # 2136221 28-Nov-2018 18:24
One person supports this post
Send private message

I use rsync over SSH all the time.

 

rsync -avz -e "ssh" --progress source dest

 

And that works a treat with SSH keys sorted.








4127 posts

Uber Geek


  # 2136232 28-Nov-2018 18:53
Send private message

Here is the specific command I run...

 

rsync -r --delete -e "ssh -p $REM_PORT" $BACKUP_DIR $REM_USER@$REM_HOST:/mnt/storage/backups/$REM_DIR

 

The variables are just set by the shell script. So yea, it is doing it over SSH already... not using source/dst with "rsync://"


Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

New AI legaltech product launched in New Zealand
Posted 21-Aug-2019 17:01


Yubico launches first Lightning-compatible security key, the YubiKey 5Ci
Posted 21-Aug-2019 16:46


Disney+ streaming service confirmed launch in New Zealand
Posted 20-Aug-2019 09:29


Industry plan could create a billion dollar interactive games sector
Posted 19-Aug-2019 20:41


Personal cyber insurance a New Zealand first
Posted 19-Aug-2019 20:26


University of Waikato launches space for esports
Posted 19-Aug-2019 20:20


D-Link ANZ expands mydlink ecosystem with new mydlink Mini Wi-Fi Smart Plug
Posted 19-Aug-2019 20:14


Kiwi workers still falling victim to old cyber tricks
Posted 12-Aug-2019 20:47


Lightning Lab GovTech launches 2019 programme
Posted 12-Aug-2019 20:41


Epson launches portable laser projector
Posted 12-Aug-2019 20:27


Huawei launches new distributed HarmonyOS
Posted 12-Aug-2019 20:20


Lenovo introduces single-socket servers for edge and data-intensive workloads
Posted 9-Aug-2019 21:26


The Document Foundation announces LibreOffice 6.3
Posted 9-Aug-2019 16:57


Symantec sell enterprise security assets for US$ 10.7 billion to Broadcom
Posted 9-Aug-2019 16:43


Artificial tongue can distinguish whisky and identify counterfeits
Posted 8-Aug-2019 20:20



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.