Submitted by Anonymous on January 15, 2010 - 4:50pm
Here's a pretty simple but reasonably effective way to let remote (Internet) users logon to your computer using SSH. The target audience for this is the slightly more advanced user who knows their way around a bit and is comfortable editing config files.
The first steps are to install openssh-server and fail2ban. You can leave the default settings for fail2ban alone, they should be quite adequate. Next, create a user id that will be specifically used for anyone wanting to login remotely. The user id should be a mix of alpha and numeric characters. It also needs a good password. Again, a mix of characters ideally. Both of these measures should ensure brute force/dictionary attacks won't get lucky. Next we need to edit /etc/ssh/sshd_config. Amend PermitRootLogin no. This is probably a bit belt-and-braces as the next step is to add your user id created earlier to AllowUsers. You can also allow local users to still use ssh by listing their ids but specify the first three places of your local network's IP addresses. So you'll end up with something like: AllowUsers sshl0gin
User1@10.6.61.* .*Once this is all done, restart SSH. Now, only your specified user will be able to login using SSH apart from your local users in AllowUsers. In addition, you have fail2ban doing it's stuff 'jailing' failed login attempts. So, once you've configured your router to forward port 22 connections to your computer (Or whatever other arrangements you need to make...) the only way anyone is going to get access is if they know your external IP address and your obscure user id/password.
Comments
change the external port to gain another level of anonymity
by m_pav - Jun 8 2010 - 8:56pm
You can easily add another level of protection against regular port scanners by choosing to use one of the Dynamic and/or Private Ports from 49152 through 65535, according to the Internet Assigned Numbers Authority, or any of the other unused ports.
Instead of forwarding external incoming port 22 traffic to the server machine, thereby advertising that you have a machine with ssh login capabilities to any drive-by port scanner, you could choose e.g. port 54321 and forward that to your internal port 22 via your router/firewall for all web access. This leaves your external port 22 looking like it is not used, so drive-by port scanners will have nothing to report to base and local machines will not be affected, they will still connect via port 22.
Example, to access the machine from the web where external port 54321 traffic is forwarded to internal port 22, instead of typing ssh User1@ipaddress, you'd type, ssh -p 54321 User1@ipaddress, or to use X-forwarding to open Dolphin on the remote (provided it's available) and forward the application window to your current location, ssh -p 54321 -XC User1@ipaddress:dolphin
scp works the same way, scp -p 54321 localfile User1@ipaddress:remotefolder or scp -p 54321User1@ipaddress:remotefolder/remotefile localfolder
Variations of port 22 such as 222 and 2222 are easily discovered, though less frequently probed.