Jump to content

Question related to SSH


joey-world
 Share

Recommended Posts

Ok let's begin.

So I want to setup an SSH server at home. I know how to do that, simple in almost all steps, and whatever question can be found on the internet.

While the setup is easy for me, what I can't completely understand is how the hell I will connect to it from afar?

I will try to give the best explanation in regards to my issue in the following list:

-SSH server setup: done

-NAT firewall setup: done

-Client server setup: done!!

-How the hell I will connect from another network with my laptop: not so good.

I know I need the Public IP address, I know my router is configured to route the incoming connection to the server. My point is, every time my Public IP address changes I'm done, there's no way I can figure out my Public IP address.

What is the solution to this problem? How can I get some kind of (secure) update about my current Public IP?

I already try to look everywhere. I found solutions like Dyndns, etc, But that's just too much trouble because I don't want to have a DNS since it can be easier to find for potential hackers than my IP (I think)

Second of all. How can I ensure that my server is protected? I had to open a port on my NAT firewall, which is like opening an invitation for someone skilled to hack into my network.

Even though my Internet is not broadcasting, I have WPA2 AES encryption (the best it can get on my router) I still feel a little unsure about the security of the open port.

What are your thoughts guys?

Thank you so much for your help.

Link to comment
Share on other sites

Dynamic DNS. Check your router settings. You can sign up with a number of services that are free, and enter the info in the router, that gives you a domain name to always log into vs the IP which your router will notify the DDns service when it changes. Most routers have a link to services for them, but you can use pretty much any Dynamic DNS site to set this up so long as the router supports the options.

DynDNS is one of the most well known.

http://dnslookup.me/dynamic-dns/

Edited by digip
Link to comment
Share on other sites

As always, Digip all over the posts n.n and again Thank you my friend. Now I have just the question in regards to the security of the open port in the NAT

Link to comment
Share on other sites

An open port isn't necessarily a problem. Let me explain. People tend to think that some ports are "secure" and some are not such as port 22 vs. 23. There is no difference in security between port 22 and 23 the difference is the service that runs (by default) on those ports 22 being ssh and 23 being telnet. The security issue comes into the picture when you look at the service that is using that port. If you are running some insecure service that is vulnerable to a buffer overflow or anything like that I would NEVER port forward that service to the world. In your case you are running an SSH server which, I am assuming, is a fully patched openssh server running on a linux machine. I would feel fine with this however a few things you can do to make your self even more secure is:

Disable password logins

Disable root login

Change login timeout

Stop the ssh daemon when it is not needed (when you are sleeping)

Hope this helps!

Link to comment
Share on other sites

You answered half of my question. Yet you are entirely correct. I did take those kinds of countermeassures the problems comes that I'm not sure wheather they can scan the rest of the computers in the network through that port? Let's give you an example:

I have opened 4444 port on the NAT, to route my traffic to the computer 192.168.1.10:22 (SSH server)

I'm wondering if I need to be concern with the server or I have to be concern in regards to the other computers in the network being compromised.

This case...

192.168.1.2 - Laptop

192.168.1.3 - Cellphone

Or is it impossible to reach those internal locations since the routing was previously defined on the router?

Link to comment
Share on other sites

If you are pointing port 4444 to 192.168.1.10 then the only machine that can be seen in .10. With that said if someone where to break into your ssh server they could then see everything else on your network or if your servers IP address changes and then your laptop obtained the ip address 192.168.1.10 and there was a service running on that port it could then be seen. Make sure you configure your server statically and put a reservation in your DHCP server if you can.

Edited by newbi3
Link to comment
Share on other sites

Yes I got all that. I just was concerned on the security part of it. You have succesfully answered all my questions thank you so much!!

Link to comment
Share on other sites

By the way, DynDNS works to keep access to your home IP of the routers outside facing network IP. If the home machine using SSH is on DHCP, go into the nic and manually set the IP and a DHCP reservation on the router, so no other device on the home network, can use the port forwarded port to the machine you want to target. Otherwise, if another machine got leased 192.168.1.10 and wasn't the one running SSH, you'd be shit out of luck getting into the home network. ;)

So static IP set on the box running SSH, if router has DHCP reservations, put one in for the mac address of the 192.168.1.10 machine, and use DynDNS of some sort, and you should be all set to go.

Link to comment
Share on other sites

A poor man's version of what dipip suggested would be to DMZ the PC hosting SSH, obscure the port # to avoid bot scanning and use IP chicken to get the public address. You can probably write a small script that e-mails/msges you the public IP when it changes. The OS firewall can admin the other ports and the SSH server would not have access to your internal network. DynDNS is great for those who can afford like 20$ a month on top of personal expenses and utilities.

Edited by logicalconfusion
Link to comment
Share on other sites

A poor man's version of what dipip suggested would be to DMZ the PC hosting SSH, obscure the port # to avoid bot scanning and use IP chicken to get the public address. You can probably write a small script that e-mails/msges you the public IP when it changes. The OS firewall can admin the other ports and the SSH server would not have access to your internal network. DynDNS is great for those who can afford like 20$ a month on top of personal expenses and utilities.

Unless you like having the whole box scanned and attacked, while sitting DIRECTLY on the internet, never go full DMZ unless running a honeypot. No protection from NAT and once they get into that box, they'll pivot through the rest of your network. DMZ != Security. There are many free DynDNS type services out there by the way. Edited by digip
Link to comment
Share on other sites

@digip how exactly do you expect attackers to pivot the entire network on a secure system, even it happens to be in the DMZ? Services like the Vonage-VoIP regularly instruct their customers to DMZ adapters that function like miniature routers (vdv22). I suggested closing all the other ports, except for the ones needed for the service on top of a secure software based firewall system. Please reply with real examples.

Link to comment
Share on other sites

how exactly do you expect attackers to pivot the entire network on a secure system

That in itself is sort of a catch 22, as I don't believe everything is impossible to get into. Secure and computer security are two different things. The most you can hope to do with respect to computer security, is make it as hard as you can, for an attacker to get in. That said, DMZ, is not secure. It exposes that one box, directly to the internet. If it has any connections to other devices, file shares, etc, they can be found, scanned and seen from the DMZ unless you have another firewall or router/switch/vlan in between. Not to mention, you're forgetting that all these devices, if they use the same router to put the one device in a DMZ, share the same gateway, even if the DMZ acts as a passthrough directly to the modem and then the external IP from the ISP, they are all still connected via layer 2. An nmap scan, or arp ping, sweep, will turn up other devices, which you can then add static routes in your routing table and tell it that the DNS and Gateway, ie: routers main IP, is the path to the internal lan. If these are windows machines on the lan as well, most likely, they will also be broadcasting their netbios names on the network, which can be picked up and seen in wireshark, which will also show the router a lot of the times, replying and having its own netbios name, depending on the consumer model.

Watch this video for just one example of how it can be done, depending on how the front end setup is laid out.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...