User Name
Password
AppleNova Forums » Genius Bar »

SSH Port 22 Best Practices


Register Members List Calendar Search FAQ Posting Guidelines
SSH Port 22 Best Practices
Thread Tools
Jason
Veteran Member
 
Join Date: Oct 2004
 
2019-07-11, 06:59

Hi guys,

I recently set up my mac so that I can log in remotely using SSH on an iPhone. I used No-IP to get it set up and it works fine after I told my router to let traffic through port 22. However, I want to make sure I've taken all security steps possible. Can anyone advise on any additional measures I ought to look at? Someone mentioned elsewhere that I shouldn't use port 22 at all.

Kind Regards
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2019-07-11, 08:27

Having port 22 be public isn't that unusual.

You should probably configure SSH to require a host key, though. That way, potential intruders will be thwarted early on.
  quote
Brad
Selfish Heathen
 
Join Date: May 2004
Location: Zone of Pain
 
2019-07-11, 08:29

The reason people suggest choosing a port other than 22 is that there are bots that roll through all the public address of the internet attempting to connect to devices on port 22 (among others) with known weak credentials. Moving to a high-number port that you've picked yourself means you are less likely to be targeted by these attackers. You can either change that on the SSH server itself (see /etc/ssh/ssh_config) or probably on your router by changing the externally-exposed port in the mapping.

Here are a few other things you can do to help further secure the target system, in increasing order of difficulty...

1. If you haven't already, set your server (Mac) user's login password to something long and very difficult to guess. Bots often use dictionary attacks once a machine is found, and you should have a password that is extremely unlikely to be guessed or derived from common words or phrases. If you think you have a good password, try checking it on https://haveibeenpwned.com/Passwords (this is arguably a trustworthy site, but…) or if you're justifiably paranoid about plugging your password into a web form, you can use their API to see if your password is in a known password dump by checking at a URL like https://api.pwnedpasswords.com/range/5baa6 where "5baa6" is the first five characters of the SHA-1 of your password. To get the SHA-1 of your password, you could use the Terminal command:

Code:
echo -n 'password' | shasum -a 1
…where in this case "password" is the password to check. Take the first five characters of that, and put it on the end of https://api.pwnedpasswords.com/range/. Search the resulting page for your remaining SHA-1 characters after the first five (in the case of "password" that would be "1e4c9b93f3f0682250b6cf8331b7ee68fd8") to see if it's in any known password dumps.

(haveibeenpwned/pwnedpasswords are generally more focused on dissuading password reuse on web sites and online apps, but it's good to check against their database for SSH and anything else that could take a password too.)

2. Disable ssh login for all accounts other than the one you specifically intend to use. In macOS, that's a simple matter of fiddling with the list of users in the "Allow access for" box in the Sharing pane of System Preferences.

3. Set up SSH keys and disable "password" login over SSH. This may be a little tricky if you've never done it, and it requires the SSH client on your iPhone to support this method. It works like this: on your server (Mac) you create a pair of cryptographic keys for your user, give one of those keys to your client (iPhone app), and disable the ability to log in over SSH without that key. Check to see if your app support key-based auth, and if it does, I'll find or write up some notes on how you might use it.

4. Run a program that monitors attempted access and blocks addresses that fail to enter. I currently use fail2ban on a couple of servers, and I've previously used DenyHosts. SSHGuard is another one that I've seen recently but haven't used myself yet. These tools monitor the SSH server access logs, and after a configured number of failed attempts by an external client, they do something (which varies by implementation) to block that client from further attempts. For example, on one of my systems, I have fail2ban set up to block any IP address that attempts to log in as "root" over SSH and to block any IP address that fails 5 times to connect as another username over SSH. This gives me a little leeway in case I fat-fingered my key, but it also provides strong protection against anyone dictionary-attacking if they guess my user.

The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting.
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Tidewater Virginia
 
2019-07-11, 18:03

What these guys have said really. I don't worry about port 22 being opened on my home network. I use dynamic DNS for my house and the traffic that goes through here so 22 is open to the world here. The thing is I've limited access through that target machine. In my case I have a "jump box" that is a stripped down linux server that is only there to serve as a terminal point for SSH entry on port 22 in my network. I have the ability to jump from that server to any on my local network (and work too thanks to an OpenVPN configuration).

My "important" servers I went with security through obscurity and moved the port (since I can't point port 22 to more than one host in my network) and I still get hack attempts on the alternate ports.

Just know that having the SSH port open on your router will result in hack attempts.

So what do you do? Add a key pair and a password with that if you want to be "super" secure. Or just the key pair and be sure to keep the private portion... private.

On my web hosts I use CSF for my main firewall and log monitoring to handle attacks. I do use fail2ban on some as well so I can highly recommend it too. Generally speaking though, a strong password and non-standard username is really all you need. There will be brute force attempts and your log will fill with them. Keep them at bay by making the password absurd use a username that isn't standard like "root, pi, admin, etc."

For my iOS terminal client I really like Panic's software. Prompt 2 is fantastic and well worth the money if you don't have it already.

In the end if you are REALLY worried and want to mitigate threats then set up a VPN in your home network and only forward traffic to the VPN. Then you can SSH from there to anywhere you need. I have this set up as well so I can use Remote Desktop apps to manage my Macs and PCs. VPN hardware is fairly common in packages like many NAS options or just make one with a Raspberry Pi. If you set your OVPN port to 443 this has the added benefit that most traffic will not be blocked by hotspot operators since it is the standard HTTPS port.

Louis L'Amour, “To make democracy work, we must be a notion of participants, not simply observers. One who does not vote has no right to complain.”
MineCraft? mc.applenova.com | Visit us! | Maybe someday I'll proof read, until then deal with it.
  quote
Posting Rules Navigation
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Post Reply

Forum Jump
Thread Tools
Similar Threads
Thread Thread Starter Forum Replies Last Post
Best Practices for Online Privacy jdcfsu General Discussion 15 2010-05-28 14:11
iTunes LP & iTunes Extras: specs, templates, best practices chucker Apple Products 1 2009-11-27 12:30
7 port USB Hub Motor Purchasing Advice 2 2007-10-22 11:49
UBS Port Help... skyranch General Discussion 10 2006-11-23 08:34
Best Practices : File Naming Conventions drewprops Programmer's Nook 10 2006-08-30 16:06


« Previous Thread | Next Thread »

All times are GMT -5. The time now is 03:41.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Copyright ©2004 - 2019, AppleNova