Tips when using Raspberry Pi and SSH

Basic
a) only login with keys, remove username/password login
b) change ssh port from 22 to something high, say 45678

Extra
a) disable root login
b) create another user with no command shell access if you use SSH for proxy
and use myentunnel which can reconnect automatically,
#################################################################
How to Generate and setup key login for SSH, there are loads of guides from google.
e.g. http://kb.site5.com/shell-access-ssh/how-to-generate-ssh-keys-and-connect-to-your-account-with-putty/

# Of course make sure your key login is working, before removing user/password login.
# Here we comment out default Port 22, and add a new Port number, disable root,
# and turn off user/password login
sudo nano /etc/ssh/sshd_config

# Port 22
Port 45678

PermitRootLogin no
PasswordAuthentication no

# download and try myentunnel at
# https://billing.julyrush.com/downloads/myentunnel.zip
# http://nemesis2.qx.net/pages/MyEnTunnel
# http://nemesis2.qx.net/rdownload.php?filename=setup_myentunnel.exe

# Create new user, with no shell access, ideal for myentunnel and socks proxy
sudo useradd -m myen34
sudo passwd myen34
sudo adduser myen34 sudo
sudo visudo

myen34 ALL=(ALL) NOPASSWD:ALL

sudo mkdir /home/myen34/.ssh
sudo cp /home/pi/.ssh/authorized_keys /home/myen34/.ssh/authorized_keys

# To remove shell access your suppose to use sudo vipw
# and change the last line
# from
…/home/myen34:/bin/bash
# to
…/home/myen34:/bin/false

# If you get frustrated with vipw, there is nano
# sudo nano /etc/passwd

# Check any Invalid user logins
sudo cat /var/log/auth.log* | grep 'Invalid user' | grep sshd

# Check wrong password attempts
cat /var/log/auth.log* | grep 'Failed password' | grep sshd
zcat /var/log/auth.log* | grep 'Failed password' | grep sshd

# If you want to keep user/password
# install fail2ban , which will block repeated wrong password attacks

sudo apt-get install fail2ban -y
# Check reports
awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n

zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | sort | uniq -c

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s