One of my hobbies is Linux. My home server is a Raspberry Pi running Debian. It currently hosts a local gitlist instance over Nginx and SSH. This past week I decided to secure my SSH connection so I could open a port to the external Internet. In addition to the Raspberry Pi, I have a router that has an open source Linux-based firmware. The router handles a variety of Dynamic DNS services.
As a security habit, I haven't had a public-facing server in my home for quite some time now. SSH servers are a frequent target for people looking to exploit insecure computers. It is advised that you do not allow password logins or the root user to log in over SSH. However, I still desired to have those settings while on my local network. In accordance, I set up my
sshd_config to use a match rule. That rule is as follows:
In plain English, the rule says that if your address lies outside my local subnet (192.168.1.X), then you cannot simply log in with a password. Logging in as root is not allowed, and you only get two shots. With password authentification disabled, a public key/private key is required to log on. To generate these I utilized
Another hurdle when opening up to the rest of the Internet is that most of our Internet providers do not give us a static public IP address. To deal with this, I've signed up for freedns. The firmware I installed on my router lets it talk directly to this service. When my IP address changes, my router tells the DDNS provider. When everything is ready to go, check your port configuration, create an entry pointing to the static ip address you've given your server, and enable TCP port 22.
Checking the tail log, you can see failed attempts. The behavior below seems to reflect a script trying common user name possibilities (a postgres user, for example, may be a common user name, as many people rely on the postgres database).
Listed above are successful log-ins. The IP addresses that have been crossed out reflect my work addresses. You can see that passwords are still being accepted on my local subnet, and both successful logins from an external IP have a public key. I'll be keeping an eye on these logs for a couple weeks, but my server should be sheltered from the majority of attacks!