Difference between revisions of "Bering-uClibc 6.x - User Guide - Advanced Topics - Setting Up SSH password-less login and Port Knocking"

From bering-uClibc
Jump to: navigation, search
Line 1: Line 1:
SSH (dropbear) allows password-less login by using RSA security key pairs. To set it up you will have to generate the RSA key pairs on your client machine and copy the public key in /root/.ssh/authorized_keys. If you have more client machines, repeat the same process and append the public keys in /root/.ssh/authorized_keys file.  
+
SSH (dropbear) allows password-less login by using RSA security key pairs. To set it up you will have to generate the RSA key pairs on your client machine and copy the public key in your router file /root/.ssh/authorized_keys. If you have more than one client machine, repeat the same process on each of them, and append their respective public keys in your router file /root/.ssh/authorized_keys.  
  
 
You can now login in your firewall without a password. You could disable password login but be careful not to lock you out...  
 
You can now login in your firewall without a password. You could disable password login but be careful not to lock you out...  
Line 7: Line 7:
 
  SSH(ACCEPT) net fw
 
  SSH(ACCEPT) net fw
  
You can always choose another port like 65022 for SSH to listen to. The port scanners wont usually reach there. There are going debates about the questionable security of this obfuscation... Anyway, if you do, add this rule then:
+
You can always choose another port like 65022 for SSH to listen to. The port scanners wont usually reach there. There are ongoing debates about the questionable security of this obfuscation... Anyway, if you do, add this rule then:
  
 
  ACCEPT  net fw tcp 65022
 
  ACCEPT  net fw tcp 65022
  
If you don't like to type ssh -p 65022 root@your.ipaddrs.router when you login, you could also hide the default SSH port 22 with port knocking. The port is then normally closed up until you send a proper sequence of port connections, using TCP or UDP. The port knocking software will detect this sequence, and will open up port 22 for 60 seconds for instance, thus giving you time enough to make your SSH login connection attempt.  
+
If you don't like to type ssh -p 65022 root@your.ipaddrs.router when you login, you could also hide the default SSH port 22 with a technique called "port knocking". The port 22 is then normally closed up until you send a proper sequence of port connections, using TCP or UDP. The port knocking software will detect this sequence, and will open up port 22 for 60 seconds for instance, thus giving you time enough to make your SSH login connection attempt.  
  
 
Near the end of this article: " http://shorewall.org/Events.html " you will find in Examples a simple Port Knocking setup that works quite well.
 
Near the end of this article: " http://shorewall.org/Events.html " you will find in Examples a simple Port Knocking setup that works quite well.

Revision as of 17:22, 12 July 2018

SSH (dropbear) allows password-less login by using RSA security key pairs. To set it up you will have to generate the RSA key pairs on your client machine and copy the public key in your router file /root/.ssh/authorized_keys. If you have more than one client machine, repeat the same process on each of them, and append their respective public keys in your router file /root/.ssh/authorized_keys.

You can now login in your firewall without a password. You could disable password login but be careful not to lock you out...

If you intend to log from the internet, you have to add the following rule to /etc/shorewall/rules

SSH(ACCEPT) net fw

You can always choose another port like 65022 for SSH to listen to. The port scanners wont usually reach there. There are ongoing debates about the questionable security of this obfuscation... Anyway, if you do, add this rule then:

ACCEPT  net fw tcp 65022

If you don't like to type ssh -p 65022 root@your.ipaddrs.router when you login, you could also hide the default SSH port 22 with a technique called "port knocking". The port 22 is then normally closed up until you send a proper sequence of port connections, using TCP or UDP. The port knocking software will detect this sequence, and will open up port 22 for 60 seconds for instance, thus giving you time enough to make your SSH login connection attempt.

Near the end of this article: " http://shorewall.org/Events.html " you will find in Examples a simple Port Knocking setup that works quite well.