Good morning group, I want to access my server(home based SuSE-box) through the Internet so I can upload images with winscp from my XP-laptop. Is it safe to just open port 22 for the external world, or do I need extra safety measures? regards, piet
Hi Piet, piet wrote:
Good morning group,
I want to access my server(home based SuSE-box) through the Internet so I can upload images with winscp from my XP-laptop. Is it safe to just open port 22 for the external world, or do I need extra safety measures?
you should disable sshV1, and use Public-Private Key Authentication. Use Keys with 4096 Bit. No Password login.
regards, piet
Need further assistance? Mail again. Dirk TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: prooroa@wanadoo.nl, suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
On Thursday 10 November 2005 05:50, Dirk Schreiner wrote:
you should disable sshV1, and use Public-Private Key Authentication. Use Keys with 4096 Bit. No Password login.
Wouldn't there be a concern of someone else getting access to the laptop (lost/stolen), and then having the key authentication already in place, they would have access to the home server? Ron
passwordless auth is not a great idea. having a passphrase while painful, is no less painful than a password and helps you... WinSCP, Putty (pagent) allows you to cache passphrases so you don't have to re-enter them all the time. Enter it once, at least if your machine is stolen, the password will no longer be cached, so the home box is still safe.
Hi *, b@rry wrote:
passwordless auth is not a great idea.
having a passphrase while painful, is no less painful than a password and helps you...
WinSCP, Putty (pagent) allows you to cache passphrases so you don't have to re-enter them all the time.
Enter it once, at least if your machine is stolen, the password will no longer be cached, so the home box is still safe.
And you can run specific commands using the Key. (and only them.) And you can delete the Public-Key on the Server any time. (What you should do if ya Laptop is stolen.) You can use multiple Keys with multiple Passphrases on a single (shared) Account. (No shared Password!) And last but not least: There is something called scponly. Works like a charm ;-)) Dirk TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: b@rry.co.za, rjoffe@yahoo.com, suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
Dirk Schreiner said:
And you can run specific commands using the Key. (and only them.)
And you can delete the Public-Key on the Server any time. (What you should do if ya Laptop is stolen.)
You can use multiple Keys with multiple Passphrases on a single (shared) Account. (No shared Password!)
And last but not least: There is something called scponly. Works like a charm ;-))
And you can create a separate "upload" user with a restricted shell on the server, that only allows execution of scp (and e.g. a chmod). Then even with a stolen laptop/private key, the attacker has only limited access to the server and can't compromise your normal user account that easy.
Hi,
I want to access my server(home based SuSE-box) through the Internet so I can upload images with winscp from my XP-laptop. Is it safe to just open port 22 for the external world, or do I need extra safety measures? regards, piet
I also like to use key exchange between both machines, allowing to login only certain ones. For this, I use cygwin. Sure the security guru´s in the list will provide more ideas! -- Saludos, miguel
Hi Miguel, Piet, miguel gmail wrote:
Hi,
I want to access my server(home based SuSE-box) through the Internet so I can upload images with winscp from my XP-laptop. Is it safe to just open port 22 for the external world, or do I need extra safety measures? regards, piet
I also like to use key exchange between both machines, allowing to login only certain ones. For this, I use cygwin.
can be done with WinSCP too. ;-)) You need puttygen. And read http://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter9.html#pageant chapter 9.5 bevore using pagent ;-) Dirk TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: miguel.listas@gmail.com, suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
Hi, Dirk
You need puttygen. And read http://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter9.html#pageant chapter 9.5 bevore using pagent ;-)
I actually moved from putty to cygwin because i couldnt find this! I wanted to use key exchange rather than user / pwd to login, but didnt know how to do it with putty. So began using cygwin. What you send me is great for me. I will give it a try this weekend. Thanks! -- Saludos, miguel
Hi miguel, miguel gmail wrote:
Hi, Dirk
You need puttygen. And read http://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter9.html#pageant chapter 9.5 bevore using pagent ;-)
I actually moved from putty to cygwin because i couldnt find this! I wanted to use key exchange rather than user / pwd to login, but didnt know how to do it with putty. So began using cygwin.
Nevertheless gives a nice X-Server. ;-)
What you send me is great for me. I will give it a try this weekend.
So another hint: As puttygen has trouble generating greater Keys (4096...), i recomend generating the Key on a Linux-Box, and import the Key into Putty with Puttygen. After saving the Key in Putty-Format, you can refer to the Key in Connection > SSH > Auth When Putty works, simply import the Session in WinSCP. Dirk TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: miguel.listas@gmail.com, suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
If you are running a web server on this box and feel that it is secure enough, I've had success using a script (with a very obscure name and some form of authentication) that will enable or disable ssh/scp/sftp. That way you can connect to the webserver and enable/disable the ssh functionality at your discretion. Not perfect, but it works. Daryl On Thu, 2005-11-10 at 04:09, miguel gmail wrote:
Hi, Dirk
You need puttygen. And read http://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter9.html#pageant chapter 9.5 bevore using pagent ;-)
I actually moved from putty to cygwin because i couldnt find this! I wanted to use key exchange rather than user / pwd to login, but didnt know how to do it with putty. So began using cygwin.
What you send me is great for me. I will give it a try this weekend.
Thanks!
-- Saludos, miguel
Hi *, if the System is the Firewall then you could think about: http://www.portknocking.org/ http://www.linuxjournal.com/article/6811 Dirk Daryl W Smith - TestEng wrote:
If you are running a web server on this box and feel that it is secure enough, I've had success using a script (with a very obscure name and some form of authentication) that will enable or disable ssh/scp/sftp. That way you can connect to the webserver and enable/disable the ssh functionality at your discretion. Not perfect, but it works.
Daryl
On Thu, 2005-11-10 at 04:09, miguel gmail wrote:
Hi, Dirk
You need puttygen. And read http://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter9.html#pageant chapter 9.5 bevore using pagent ;-) I actually moved from putty to cygwin because i couldnt find this! I wanted to use key exchange rather than user / pwd to login, but didnt know how to do it with putty. So began using cygwin.
What you send me is great for me. I will give it a try this weekend.
Thanks!
-- Saludos, miguel
-- xcldsc TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: dwsmith@micron.com, miguel.listas@gmail.com, suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
there are thousands of scan attempts being run against all ssh servers out there. I would do two main things. 1. Disable password authentication and enable RSA key authentication. This way you can manage your keys, change the key regularly and set a high bit value (2048 or higher) to get max key strength. This also emsures that no script kiddies get onto your box with dictionary based ssh attacks 2. Choose an obfuscated port, don't use 22, use something at the wrong end of the scanning spectrum, say *sucks thumb* port 53245 (check that this is not) Many scanners will only scan authorised ports as the high ports are a waste of time, if it is only you using it, then you don't have to worry about notifying people of you obscure port number... Some others. MAKE SURE you are only allowing protocol 2 Disable agent forwarding. Set your server host key to a stronger key strength. Anyway, that should all help... _____ From: piet [mailto:prooroa@wanadoo.nl] Sent: 10 November 2005 11:59 AM To: SuSE-Security Subject: [suse-security] safety with scp Good morning group, I want to access my server(home based SuSE-box) through the Internet so I can upload images with winscp from my XP-laptop. Is it safe to just open port 22 for the external world, or do I need extra safety measures? regards, piet -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
b@rry wrote:
there are thousands of scan attempts being run against all ssh servers out there.
I would do two main things.
1. Disable password authentication and enable RSA key authentication. This way you can manage your keys, change the key regularly and set a high bit value (2048 or higher) to get max key strength. This also emsures that no script kiddies get onto your box with dictionary based ssh attacks
2. Choose an obfuscated port, don't use 22, use something at the wrong end of the scanning spectrum, say *sucks thumb* port 53245 (check that this is not) Many scanners will only scan authorised ports as the high ports are a waste of time, if it is only you using it, then you don't have to worry about notifying people of you obscure port number...
Some others.
MAKE SURE you are only allowing protocol 2 Disable agent forwarding. Set your server host key to a stronger key strength.
Anyway, that should all help...
_____
From: piet [mailto:prooroa@wanadoo.nl] Sent: 10 November 2005 11:59 AM To: SuSE-Security Subject: [suse-security] safety with scp
Good morning group,
I want to access my server(home based SuSE-box) through the Internet so I can upload images with winscp from my XP-laptop. Is it safe to just open port 22 for the external world, or do I need extra safety measures? regards, piet
using another port I get, but my server (only 80 is open for some time now is scanned on hi ports night and day. at the moment 6630 happens to be popular, in other words is it safe enough. What I want to do isn't top secret I just want a safe way to get rid of my images when on the road. so: no password login (I do use now) and use keys and do portforwarding, am I right? Can I also use the macadres of my laptop, or is that not safe enough?? piet
Hi folks! On 10 Nov 2005, at 11:19, piet wrote:
b@rry wrote:
there are thousands of scan attempts being run against all ssh servers out there. I would do two main things. 1. Disable password authentication and enable RSA key authentication. This way you can manage your keys, change the key regularly and set a high bit value (2048 or higher) to get max key strength. This also emsures that no script kiddies get onto your box with dictionary based ssh attacks 2. Choose an obfuscated port, don't use 22, use something at the wrong end of the scanning spectrum, say *sucks thumb* port 53245 (check that this is not) Many scanners will only scan authorised ports as the high ports are a waste of time, if it is only you using it, then you don't have to worry about notifying people of you obscure port number... Some others. MAKE SURE you are only allowing protocol 2 Disable agent forwarding. Set your server host key to a stronger key strength. Anyway, that should all help... _____ From: piet [mailto:prooroa@wanadoo.nl] Sent: 10 November 2005 11:59 AM To: SuSE-Security Subject: [suse-security] safety with scp Good morning group, I want to access my server(home based SuSE-box) through the Internet so I can upload images with winscp from my XP-laptop. Is it safe to just open port 22 for the external world, or do I need extra safety measures? regards, piet using another port I get, but my server (only 80 is open for some time now is scanned on hi ports night and day. at the moment 6630 happens to be popular, in other words is it safe enough. What I want to do isn't top secret I just want a safe way to get rid of my images when on the road. so: no password login (I do use now) and use keys and do portforwarding, am I right?
Just keep in mind the two things: dictionary based attacks (dealt with by using only public key auth) and bugs in sshd. You should definitely keep the security updates up-to-date.
Can I also use the macadres of my laptop, or is that not safe enough??
MAC address ist lost at the first router as it is not part of the IP protocol (not IPv4, more specifically), so the only MAC address you'll see at home is the one from your ISP's hardware. Once the notebook is out of your house there's nothing in the protocols that you can use; the only possibility lies in ssh host authentication. Ciao, Roland -- TU Muenchen, Physik-Department E18, James-Franck-Str. 85747 Garching Telefon 089/289-12592; Telefax 089/289-12570 -- A mouse is a device used to point at the xterm you want to type in. Kim Alm on a.s.r. -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GS/CS/M/MU d-(++) s:+ a-> C+++ UL++++ P-(+) L+++ E(+) W+ !N K- w--- M + !V Y+ PGP++ t+(++) 5 R+ tv-- b+ DI++ e+++>++++ h---- y+++ ------END GEEK CODE BLOCK------
piet wrote:
Good morning group,
I want to access my server(home based SuSE-box) through the Internet so I can upload images with winscp from my XP-laptop. Is it safe to just open port 22 for the external world, or do I need extra safety measures? regards, piet
Hi Piet, also take a look at scponly and use this as a shell for your upload-user. It locks the remote user into a chroot-environment, so the damage that the remote-user can do is limited. Greetings, Ralf
Ralf Ronneburger wrote:
piet wrote:
Good morning group,
I want to access my server(home based SuSE-box) through the Internet so I can upload images with winscp from my XP-laptop. Is it safe to just open port 22 for the external world, or do I need extra safety measures? regards, piet
Hi Piet,
also take a look at scponly and use this as a shell for your upload-user. It locks the remote user into a chroot-environment, so the damage that the remote-user can do is limited.
Greetings,
Ralf
Also do this: 1: Configure tcp wrappers to limit access to only neccessary networks / IP's. 2: Use iptables ( yast2 firewall configurator works fine ) to limit access to only neccessary networks / IP's.
participants (10)
-
b@rry -
Daryl W Smith - TestEng -
Dirk Schreiner -
Michel Messerschmidt -
miguel gmail -
piet -
Ralf Ronneburger -
Roland Kuhn -
Ron Joffe -
Will Schroeder