Difference between revisions of "Bering-uClibc 6.x - User Guide - Advanced Topics - Setting Up SSH password-less login and Port Knocking"

From bering-uClibc
Jump to: navigation, search
(fix a typo)
Line 8: Line 8:
 
----
 
----
  
SSH (dropbear) allows password-less login by using RSA security key pairs. To set it up you will have to generate the RSA key pairs on your client machine (PuTTYgen on Windows, ssh-keygen OSX & Linux) and copy the public key in your router file /root/.ssh/authorized_keys. If you have more than one client machine, repeat the same process on each of them, and append their respective public keys in your router file /root/.ssh/authorized_keys.
+
SSH (<code class="filename">dropbear</code>) allows password-less login by using RSA security key pairs. To set it up you will have to generate the RSA key pairs on your client machine (<code class="filename">PuTTYgen</code> on Windows, <code class="filename">ssh-keygen</code> OSX & Linux) and copy the public key in your router file <code class="filename">/root/.ssh/authorized_keys</code>. If you have more than one client machine, repeat the same process on each of them, and append their respective public keys in your router file <code class="filename">/root/.ssh/authorized_keys</code>. On Linux or OSX you can use the <code class="filename">ssh-copy-id</code> utility script that might help you do that.
  
 
Make sure you have this format:
 
Make sure you have this format:
Line 27: Line 27:
 
You can now login in your firewall without a password from those client machines obviously. You could disable password login but be careful not to lock yourself out... I prefer to use a very very very strong password anyways, you never know when you might have to login from none of your prepared client machines. But you can always keep, at your own risks, a copy of one of the private keys on a portable secure medium..., phone, earrings ...
 
You can now login in your firewall without a password from those client machines obviously. You could disable password login but be careful not to lock yourself out... I prefer to use a very very very strong password anyways, you never know when you might have to login from none of your prepared client machines. But you can always keep, at your own risks, a copy of one of the private keys on a portable secure medium..., phone, earrings ...
  
If you intend to login from the internet, you have to add the following rule to /etc/shorewall/rules
+
If you intend to login from the internet, you have to add the following rule to <code class="filename">/etc/shorewall/rules</code>
  
 
  SSH(ACCEPT) net fw
 
  SSH(ACCEPT) net fw
Line 40: Line 40:
  
  
If you don't like or trust a simple ssh -p 65022 root@your.ipaddrs.router everytime you login, you could always use the default SSH port 22, but keep it hidden with a technique called "port knocking". The port 22 is kept normally closed until you send a proper sequence of random port connection attempts on normally closed ports, using TCP or UDP, hence the name Port Knocking. When the port knocking software detects the right combination sequence, it will then open up port 22 for 60 seconds for instance, thus giving you time enough to make your SSH login connection attempt.  
+
If you don't like or trust a simple <code class="filename">ssh -p 65022 root@your.ipaddrs.router</code> everytime you login, you could always use the default SSH port 22, but keep it hidden with a technique called "port knocking". The port 22 is kept normally closed until you send a proper sequence of random port connection attempts on normally closed ports, using TCP or UDP, hence the name Port Knocking. When the port knocking software detects the right combination sequence, it will then open up port 22 for 60 seconds for instance, thus giving you time enough to make your SSH login connection attempt.  
  
 
Near the end of this article: " http://shorewall.org/Events.html " you will find in Examples a simple Port Knocking setup that works quite well.
 
Near the end of this article: " http://shorewall.org/Events.html " you will find in Examples a simple Port Knocking setup that works quite well.

Revision as of 04:59, 17 July 2018

Setting Up SSH password-less login and Port Knocking
Prev Bering-uClibc 6.x - User Guide

SSH (dropbear) allows password-less login by using RSA security key pairs. To set it up you will have to generate the RSA key pairs on your client machine (PuTTYgen on Windows, ssh-keygen OSX & Linux) and copy the public key in your router file /root/.ssh/authorized_keys. If you have more than one client machine, repeat the same process on each of them, and append their respective public keys in your router file /root/.ssh/authorized_keys. On Linux or OSX you can use the ssh-copy-id utility script that might help you do that.

Make sure you have this format:

firewall# pwd
/root/.ssh
firewall# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtKYa9MqShtRkJDa....
...
...
ICxqcbjMXktnN3cygsf3cIU+f/SJ9r7 mywife@macbookpro.private.network
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrpgezG0X9RhuDBBQ...
...
... 
l7bUlGYoouP3tpqfXxIBbQEeMr/2X99 me@ProBook-6560b
firewall#

You can now login in your firewall without a password from those client machines obviously. You could disable password login but be careful not to lock yourself out... I prefer to use a very very very strong password anyways, you never know when you might have to login from none of your prepared client machines. But you can always keep, at your own risks, a copy of one of the private keys on a portable secure medium..., phone, earrings ...

If you intend to login from the internet, you have to add the following rule to /etc/shorewall/rules

SSH(ACCEPT) net fw

You can always choose another port like 65022 for SSH to listen to. The port scanners wont usually reach there. There are ongoing debates about the questionable security of this obfuscation... Anyway, if you do, add this rule then:

ACCEPT  net fw tcp 65022

and tell dropbear to listen on port 65022...

lrcfg -> 3) -> 13) -> 1)
#DB_PORT=22
DB_PORT=65022


If you don't like or trust a simple ssh -p 65022 root@your.ipaddrs.router everytime you login, you could always use the default SSH port 22, but keep it hidden with a technique called "port knocking". The port 22 is kept normally closed until you send a proper sequence of random port connection attempts on normally closed ports, using TCP or UDP, hence the name Port Knocking. When the port knocking software detects the right combination sequence, it will then open up port 22 for 60 seconds for instance, thus giving you time enough to make your SSH login connection attempt.

Near the end of this article: " http://shorewall.org/Events.html " you will find in Examples a simple Port Knocking setup that works quite well.

Using this last example you will have to type:

ssh -p 1600 root@your.ipaddrs.router   # knock on port 1600
ssh root@your.ipaddrs.router           # to connect...

This is definitely more secure, and you won't fill your logs with port 22 scanners attempts. Port 22 will stay open for 60 seconds only. If you want to open another session and missed the previous time window, you will have to knock on port 1600 again.


herrrr... don't forget to save Doctor Freeman !!!

lrcfg -> s)

Prev Up