What are some precautions to take when doing port forwarding on desktop to establish ssh connection with laptop?

I have a home desktop in another city and a laptop I bring to campus both running ubuntu 22.04.4. I would like to establish a ssh connection from the laptop to the desktop to retrieve and write files.

I have never used ssh before today. Just as test I established a ssh connection and used rsync to achieve what I wanted over my local network. But to do this over the internet I have to set up port forwarding on my desktop.

Now lets say I use public key based authentication to establish a ssh connection between my home desktop and laptop. Port 22 is forwarded to the home desktop and ufw is enabled with only port 22 allowed on the desktop. The laptop will be used at public networks at my campus. Are there any loopholes, oversights etc. that could pose a security risk? If someone for example was to obtain the public ip of my home desktop?

Asked By: volticus

||

Q: Are there any loopholes, oversights etc. that could pose a security
risk?

This question is too broad. New security bugs can be discovered anytime. Keep all your computers updated so that bug fixes are applied to your computers as soon as possible.

If someone for example was to obtain the public ip of my home desktop?

The public IP address is "public". That is, anyone can access it. Hackers typically use scripts or programs to automatically go over a range of public IP addresses to see if any port is open. When they find an open port, say 22, they may try to login using common usernames (for example, pi, root, admin, administrator, etc) and a list of compromised passwords.

If someone wants to specifically target your Desktop they may take a different approach. The scope of such attacks depends on the attacker and the resources they have.

Security Steps

  1. Router setup
  2. Enable public key based authentication and disable password based authentication.
  3. Install and configure a firewall
  4. Install fail2ban

1. Router setup (not a real security step)

It seems you know how to forward ports from your router. The link is for other users who may need help.

You may open a high and non-standard port on your router and forward it to port 22 of your Desktop. Persistent attackers will bypass this measure, but it keeps casual hackers (and their scripts) away. To set up port forwarding, see How to access home ssh server from outside via the Internet?

This also reduces the authentication error logs and fill up your computer’s storage.

2. Enable public key based authentication and disable password based authentication

This is a more secure way to use ssh. It uses a private-public key pair. The private key remains in the trusted computer from which the ssh connection is made. In this case Laptop. The public key goes to Desktop. Once the keys are in place, you will disable password based authentication in the ssh server in Desktop. If you disable password based authentication without making sure the key based authentication is working, then ssh will not work, as there will be no way to authenticate the remote user.

First generate the private-public key pair in the Laptop_user@Laptop. This will need to be done at each user and each local computer from where you ssh to another computer. In a terminal enter:

ssh-keygen -t ed25519

This generates the newer and more secure key than RSA. If you want RSA type keys, then enter:

ssh-keygen -t rsa -b 4096

The process will prompt you for a passphrase. You can hit Enter if you don’t want one. If you do enter a passphrase, you will be asked for it every time you ssh from Laptop to Desktop. If you use a passphrase it should not be same as the password used for normal login. For better security use a unique and complex passphrase.

Next you will need to copy the public key from Laptop to Desktop. In the terminal in Laptop enter:

ssh-copy-id Desktop_user@Desktop.local

You will be asked to enter the login password of Desktop_user in Desktop. If you have other computers in the home LAN you want to ssh to from the Laptop_user@Laptop then you need not create a new key-pair. Copy the public key of Laptop_user@Laptop to the other user accounts in the other remote computers using the above command.

Once the public key is successfully copied to the Desktop_user account of Desktop try to ssh again:

ssh Desktop_user@Desktop.local

Now you should be able to get into Desktop without Desktop_user‘s password. At this point one can either use the password or the public key you generated to log in. You can test this by creating a new user (or with an existing second user) in Laptop, such as Laptop_usera. At this stage Laptop_user@Laptop will be able to ssh to Desktop_user@Desktop without password using the public key. On the other hand Laptop_usera@Laptop will need to use the password of Desktop_user to ssh to Desktop_user@Desktop.

The next step is to disable the password based authentication. You may want to do this locally in a terminal of Desktop. Use the following command to create a new files at /etc/ssh/sshd_config.d/

sudo nano /etc/ssh/sshd_config.d/10-nopasswords

Then add the following lines:

# change the file extension to something other than .conf 
# to temporarily allow passwords.
# use sudo systemctl restart ssh.service after file rename
PasswordAuthentication no

Use Ctrl+O to save the changes and Ctrl+X to exit the editor.

Finally, restart the ssh server with the new settings by the following command:

sudo systemctl restart ssh

Now Laptop_user@Laptop will still be able to ssh to Desktop_user@Desktop without password using the public key. On the other hand Laptop_usera@Laptop will get permission denied to ssh to Desktop_user@Desktop.

3. Install and configure a firewall

There are many firewall software, and some of them are hard to configure. I suggest you install the "uncomplicated firewall" called ufw by the command:

sudo apt install ufw

To open the port 22 but only from within the home LAN use the command:

sudo ufw allow ssh
sudo ufw enable

This firewall setting in Desktop allows anyone from outside the home LAN use ssh to connect to Desktop.

If you know that you will only access the Desktop from the campus. Find out the range of external IP addresses your campus uses for the students’ WiFi network. Then you may delete the ufw general "ssh" rule and create a new one that only allows port 22 access to your Desktop from that range of addresses.

4. Install fail2ban

The fail2ban utility temporarily bans ssh access if someone tries and fails to access your Desktop too many times.

sudo apt install fail2ban

The default setting should be fine but you can change them according to your needs. See How can I stop ssh bots from trying to SSH in as root for some modifications.

After a couple of weeks of running fail2ban you should examine it’s log and see where the login attempts are coming from. Then you can adjust the settings to further harden the protection.
Hope this helps

Q: Does fail2ban do anything if public key authentication is used? If
a user without private key tries to establish ssh and my desktop does
not allow password authentication: how will they be able to repeatedly
try to access my desktop? By generating a bunch of private keys?

Scripts used by hackers may continue to try different userid/password combination even when the first attempt fails. This makes your authentication failure log file grow bigger and bigger. Fail2ban stops that.

The idea is to have multiple layers of protection so that weak attacks are stopped early and reduce the potential surface of attacks.

Answered By: user68186
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.