Exposing SSH... sanity check

Forums › IT Pro and developers › Exposing SSH... sanity check

chevrolux

4962 posts

Uber Geek
Inactive user

#243104 27-Nov-2018 08:03

I think I know the answer, but wanted some people's opinions.

I'm using rsync to transfer a directory from a bunch of remote machines, to a server (Debian 9) on our network as a basic form of backup.

SSH is on a non-standard port, and locked down to the subnet the remote machines are on. Authentication is done with a certificate, for a non-root user, who also doesn't have sudo privileges - just read/write to the directory it the remote machines rsync to.

Have I done everything I should?

Andib

1363 posts

Uber Geek

ID Verified

Trusted

#2135004 27-Nov-2018 08:07

Ideally you would have a VPN between the machines and not expose ssh to the internet (even if it is firewalled off to specific subnets).

Is this automated? if not you could add 2fa to the logon otherwise the only other thing would be using a certificate with a password so that if the cert is ever copied they still can't login.

<#
.DISCLAIMER
Anything I post is my own and not the views of my past/present/future employer.
#>

chevrolux

4962 posts

Uber Geek
Inactive user

#2135009 27-Nov-2018 08:44

Andib:

Ideally you would have a VPN between the machines and not expose ssh to the internet (even if it is firewalled off to specific subnets).

Is this automated? if not you could add 2fa to the logon otherwise the only other thing would be using a certificate with a password so that if the cert is ever copied they still can't login.

Yep fully agree that a VPN would be a better solution. The only reason it's done over public internet is we don't run the router in all these locations, and I don't want to go too "non-standard" on the remote servers and install extra packages for VPN (they are phone systems installed from a custom image).

It's done with a super simple bash script (just sets variables, and runs a single rsync command) and on a cron job so 2FA not an option.

This way I have a very simple process for installing new systems that the guys can follow to "install" the shell script.

Should add too - fail2ban runs on the server with SSH exposed and blocks the IP after three attempts. I also run a logging rule on the firewall to log all IP's that hit the exposed SSH port. I can take that further and ban at that level too.

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2135011 27-Nov-2018 08:45

I personally would also put on fail2ban. You could use a VPN, but in essence you still have just about as much exposed potential as an SSH interface.

Cyril

Killerkiwi2005

374 posts

Ultimate Geek

Trusted

#2135015 27-Nov-2018 08:50

If you have a static ip you can lock the port down to only that ip

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2135020 27-Nov-2018 09:00

You have pipped my interest, 2fa would not be too hard to do.

Cyril

SirHumphreyAppleby

2844 posts

Uber Geek

#2135023 27-Nov-2018 09:06

You haven't explicitly mentioned it, but I would disable root logins via SSH.

PermitRootLogin no

I would also disable port forwarding for backup users.

AllowTcpForwarding no

If you could avoid rsync which requires shell access, and just use SFTP, you could further restrict SSH to providing SFTP only to those users.

chevrolux

4962 posts

Uber Geek
Inactive user

#2135032 27-Nov-2018 09:20

SirHumphreyAppleby:

You haven't explicitly mentioned it, but I would disable root logins via SSH.

PermitRootLogin no

I would also disable port forwarding for backup users.

AllowTcpForwarding no

If you could avoid rsync which requires shell access, and just use SFTP, you could further restrict SSH to providing SFTP only to those users.

Yep both of those are certainly set.

Thought of FTP, but then I will need a client on the remote machines right. Will see what's included with the standard build.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

SirHumphreyAppleby

2844 posts

Uber Geek

#2135065 27-Nov-2018 09:25

chevrolux:

Thought of FTP, but then I will need a client on the remote machines right. Will see what's included with the standard build.

SFTP is SSH File Transfer Protocol, which is a different protocol from FTP. It only requires a SSH connection.

If your clients can use SSH, they should be able to use SFTP.

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2135071 27-Nov-2018 09:31

I would assume its just plain old openssh you have installed, if so SFTP is already there

Cyril

BarTender

3606 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2135098 27-Nov-2018 10:18

I would also add:

RhostsRSAAuthentication no

HostbasedAuthentication no

PermitEmptyPasswords no

PasswordAuthentication no

As then you can ONLY login using a Public/Private Key pair. I assume you would have another path to access the box should you loose the key but I always disable PasswordAuthentication.

Plus keep your boxes regularly patched.

If you wanted to take it up to the next level you can use Yubikeys with SSL Certificates and then if you are running Windows for your client you can use "putty-cac" which allows you to do authentication based on a certificate in a hardware token.