How to safely SSH into your own computer
I came across a situation where I had to
ssh into my personal computer from a remote server. Most of the time, you don’t want to do this. There’s botnets and other evil-doers out there that try to break into easily accessible machines, and a password-protected SSH connection is easily broken into.
So don’t do this unless you really need to!
Okay, so you really need to. What do we need to do?
- Tell your router to forward incoming transmissions for your
SSH portto your machine.
The specific procedure depends on your router and I’ll leave it to you to find out how to do it. What’s important, though, is that you should change the default port. Botnets, script kiddies and everybody else that wants to break into your system will try the default port
22first. If that doesn’t work, some might move on. Others might try more ports. Make them work for the right port, choose something random and large, in the
10000 to 64000range. This is a list of used ports, so pick one that’s not on this list!
- Start your SSH daemon
At least on my
arch linuxsystem, the daemon that listens for incoming connections is not enabled by default.
You have two choices:
sudo systemctl start sshd.service. An instance will be running until you restart your PC. If you only occasionally want to access your machine from a remote server, then this is the safer way.
sudo systemctl enable sshd.service. This will auto-start the daemon upon boot, too.
- Tell SSH to listen on your chosen port
Open up your
/etc/ssh/sshd_configfile. The idea here is that many options are present in the file and set to their default values, and they’re commented out. So, to change them, uncomment them by removing the leading
#and then you can change their default values.
Fine the line for
#Port 22and change it to
Port <your port number>.
- Disable root login
For the sake of completeness, find the line that starts with
#PermitRootLoginand change it to
- Disable password authentication
All passwords are evil if you have the possibility of using public key authentication. So find the line
#PasswordAuthentication yesand change it to
- Enable public key authentication
You kinda need one way of getting in, right? This should be enabled by default at the time of writing, but check anyway:
#PubkeyAuthentication yesis the magic line. If you find it, leave it, it’s the default. Or remove the
- Generate a public/private key pair
On the remote server generate a key pair with
ssh-keygen -t rsa -b 4096 -C "email@example.com". Follow the prompts, set a password.
Now start an
eval "$(ssh-agent -s)".
And add the key to the agent, this way you don’t have to type in your key’s password every time you use it:
ssh-add ~/.ssh/<your private key file>.
- Tell your system to allow this key
On your home system open
~/.ssh/authorized_keys(create it if it doesn’t exist) and add the content of your remote system’s
~/.ssh/<your public key file>. Just copy the entire content, it should be on one line and contain lots of random characters.
- Restrict this key to a particular IP address
Another nice security measure. In your home system’s
~/.ssh/authorized_keys(the one you just edited), prepend to the line from last step this:
from="220.127.116.11"where you of course replace the IP with your remote server’s IP.
- Install fail2ban
fail2banis a cool tool that automatically blocks IP addresses that seem suspicious by trying too many times to get into your system unsuccessfully. This would be your last line of defense. All you need to do is to install and enable it. On
sudo pacman -S fail2banand then
sudo systemctl enable fail2ban.service.
- Create a new user with limited rights
Create a new group:
sudo groupadd sshusergroup
Add a new user:
sudo useradd -m -g sshusergroup -s /bin/bash sshuser
Restrict SSH to allow only this user: add the line
- Restart your daemon
To load all these settings, reload
sudo systemctl restart sshd.service.
You could call this a very paranoid approach. Just the way I like it, because you reaaally don’t want random people on your personal computer. I can’t think of a way of breaking into this system via SSH anymore.
Let’s recap: The SSH daemon is not always running, only when you need it (if you didn’t enable it). If it is, then it only allows key authentication, which is pretty safe. Also it only allows this if it comes from the single IP you specified. And if someone is still able to try different keys, then if he tries too many, he’s banned by
fail2ban. And if all security measures fail, then he can only login to the
sshuser user, which is part of no groups to speak of, has no sudo rights and can’t really do a thang outside of his home directory.
On the remote server you can now ssh into your machine with
ssh -p <your port> sshuser@<your IP>.