2

I have an SSH installed on my Ubuntu server. I can log into it from my Ubuntu desktop, using a user and a password. I can only access SSH from my LAN, since the SSH port is not forwarded on my router. Do I need to set up an RSA key for a setup like this? From what I understand the SSH is secure since it cannot be accessed from the Internet.

On a side note, what other things should I double check for security? I have Apache, MySQL and ProFTPD running.

Cory Walker
  • 236
  • 2
  • 4
  • 11

5 Answers5

10

As a side note, it's very, very easy to setup passwordless logins with SSH, so you might want to try that:

$ ssh-keygen -t rsa # if you don't already have your key pair
$ ssh-copy-id -i ~/.ssh/id_rsa.pub myuser@myserver

And then you wont be asked for a password each time you login to your server :)

Ivan
  • 3,172
  • 4
  • 25
  • 34
  • Seconded. Take the few minutes to setup SSH keys and you'll love live even more. http://pkeck.myweb.uga.edu/ssh/ – Drew Stephens May 09 '09 at 17:20
  • 2
    I use keys as well, but I always use them *with* passwords, and use keychain (on Linux) or pageant (on Windows) to cache the password for me. – Martin C. May 10 '09 at 07:46
7

If your sure that only authorised users can get access to your LAN, then a username and password should suffice. Nothing is ever going to be completely secure, you need to ask yourself, is it good enough?

If your server is only accesible via your LAN, and your not worried about people gaining access to it, by WiFi hacks, or physical network access, then username/password authentication is probabley good enough.

Sam Cogan
  • 38,736
  • 6
  • 78
  • 114
3

Setup keys with passwords. Then use keychain, the only time you will ever have to enter passwords will be after a reboot. All the security of passwords, all the convenience of keys.

kband
  • 459
  • 2
  • 6
2

I don't mind entering a password for SSH. For added security however, I'd recommend enabling the Ubuntu Firewall ufw, which is installed but disabled on Jaunty by default. It's easy to enable and configure:

sudo ufw enable

EDIT: Don't do this first if you're connecting remotely or you'll lock yourself out! It's safer to enable last once you're sure all your rules are in place. See Olaf's comment below.

Default block everything

sudo ufw default deny

Allow TCP on prt 22 for SSH:

sudo ufw allow 22/tcp

Delete this rule (if necessary down the road):

sudo ufw delete allow 22/tcp

In addition to port 22, you'll want to allow traffic to port 3306 for MySQL, 80 for Apache, and 20 & 21 by default for ProFTPD.

You can check your rules easily too:

sudo ufw status

Lastly, you can create more fine-grained rules to specific hosts or subnets:

ufw allow proto tcp from 192.168.0.0/24 to 192.168.0.1 port 22

After you configure, disable and re-enable ufw to apply.

nedm
  • 5,630
  • 5
  • 32
  • 52
  • 1
    wow - make that from a distance (e.g. over ssh) and you're locked out :) ... make the default settings and allow ssh (22/tcp) before you enable the firewall. What I don't like with ufw is that the status is not visible (with ufw status) when the firewall is not enabled, so configuring this from a distance is always a bit risky. I usually setup a cron script to disable the firewall every 5 minutes while I change the settings or make sure to have an alternative way in without having to run... – Olaf May 11 '09 at 19:58
  • Good point, I'll edit accordingly -- I usually run sudo ufw disable first and sudo ufw enable last for just this reason. However, I also really like the idea of the cron script to fire every 5 minutes while you're tinkering just in case! – nedm May 11 '09 at 20:40
0

Do you need to use keys? No. But it sure becomes a lot more convenient to use them once you have more then one server, or if you ever have to script some kind task that will require ssh access.

Zoredache
  • 130,897
  • 41
  • 276
  • 420