One of my hobbies is Linux. My home server is a Raspberry Pi running Debian. It currently hosts a local gitlist instance over Nginx and SSH. This past week I decided to secure my SSH connection so I could open a port to the external Internet. In addition to the Raspberry Pi, I have a router that has an open source Linux-based firmware. The router handles a variety of Dynamic DNS services.
As a security habit, I haven't had a public-facing server in my home for quite some time now. SSH servers
are a frequent target for people looking to exploit insecure computers. It is advised that you do not
allow password logins or the root user to log in over SSH. However, I still desired to have those settings
while on my local network. In accordance, I set up my
sshd_config to use a match rule. That rule is as
In plain English, the rule says that if your address lies outside my local subnet (192.168.1.X), then you
cannot simply log in with a password. Logging in as root is not allowed, and you only get two shots. With
password authentification disabled, a public key/private key is required to log on. To generate these I
Another hurdle when opening up to the rest of the Internet is that most of our Internet providers do not give us a static public IP address. To deal with this, I've signed up for freedns. The firmware I installed on my router lets it talk directly to this service. When my IP address changes, my router tells the DDNS provider. When everything is ready to go, check your port configuration, create an entry pointing to the static ip address you've given your server, and enable TCP port 22.
Checking the tail log, you can see failed attempts. The behavior below seems to reflect a script trying common user name possibilities (a postgres user, for example, may be a common user name, as many people rely on the postgres database).
Listed above are successful log-ins. The IP addresses that have been crossed out reflect my work addresses. You can see that passwords are still being accepted on my local subnet, and both successful logins from an external IP have a public key. I'll be keeping an eye on these logs for a couple weeks, but my server should be sheltered from the majority of attacks!