Re: ssh gives "Permission denied, please try again"

Anthony Campbell wrote:
On 2008-07-17, John Phillips <news0804@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 2008-07-17, Anthony Campbell <ac@xxxxxxxxxxxxxxxx> wrote:
On 2008-07-17, Bernard Peek <bap@xxxxxxxxxx> wrote:
In message <slrng7uvlt.tvp.ac@xxxxxxxxxxxxxxxxxxxxxxxx>, Anthony Campbell <ac@xxxxxxxxxxxxxxxx> writes
I thought the right host to connect to would be ac@xxxxxxxxxxxxxxxx
since that is what I use for emails etc. I can connect to
arcadia.acampbell.org.uk but that wouldn't work from a computer outside
my newtwork, or would it?
It would be possible to arrange that but it's a bit tricky and there are security implications for your network. If you decide that it's what you want to do then we can give you some more help. We would need to know whether you have a static or dynamic IP address from your ISP.
I looked myself up and my static address seems to be 87.127.32.23. I
tried to ssh to that but it said port 22 was blocked. That seems to be
due to my router; I therefore tried to open ssh access in the router and
now ssh just hangs indefinitely. So that is progress of a sort but I'm
a bit worried about possible security issues, although it seems to be
possible to specify a particular WAN address.
You usually need to do two things to get SSH to pass through a router.
I think you only did one of them.

1 allow port 22 traffic to pass through the firewall (I think you did this)

2 make sure incoming port 22 traffic is directed by the router to the
specific server machine. Assuming you use NAT this will be in the
server setup section of the NAT setup.

As far as security is concerned there are several things you can do with the sshd config file to harden usual sshd installs. If you do get an external connection I am sure someone will tell you.

OK, got it! Shorewall was blocking access. Turning this off temporarily
allowed the connection to come up.

Thanks to all for advice and help. I'll have to check up the security
aspect before setting it up permanently.

Well, the main issues can be dealt with by disabling password login in sshd_config and using RSA or DSA. That requires generating a public/private key pair (with ssh-keygen), putting the public key in ..ssh/authorized_keys and having the private key available on the machine you're connecting from (as someone else suggested, this could be on a flash stick or something).

If you're carrying a laptop and will be connecting from that, then it's simple. If you use windows or mac, putty can do ssh using the key. If it's linux, the keys go in .ssh/id_dsa and .ssh/id_dsa.pub (or id_rsa/id_rsa.pub).

You'll have to make the hole in shorewall permanent. And i'd recommend not using port 22 on the router - i.e., use a different port to ssh to and configure the router to forward that port to port 22 on the host. This doesn't increase security but it does prevent silly script kiddies from making a nuisance of themselves trying to crack your ssh security.

So long as you make sure the system with sshd running on it is fully up-to-date - and in particular that you're using the latest version of sshd - you should be about as safe as you can get.

There's one way to make it pretty much rock solid - and that's to restrict the IP addresses that are allowed to connect to the ssh port. If you know the address - or the subnet - that you'll be connecting from, you can enable access from that/those address/es and deny it to everything else. That's the only way to *really* make sure of security. The rest of the above stuff on its own is second best - but still reasonably safe.



--
http://MaldonIT.co.uk
.

Relevant Pages

  • Re: Security basics
    ... scanners can detect ssh implementations since they normally self-identify. ... Changing the port on which ssh listens is an excellent idea. ... This puts one more stumbling block in the way of the attacker; all security ...
    (Fedora)
  • Re: ssh to new ip...
    ... > that once I put it at the isp, I won't be able to ssh to it or anything. ... > windoze box over to it thru my router. ... DHCP has nothing to do with port ... choice is, to your FreeBSD box. ...
    (freebsd-questions)
  • Re: ssh gives "Permission denied, please try again"
    ... security implications for your network. ... tried to ssh to that but it said port 22 was blocked. ... due to my router; I therefore tried to open ssh access in the router and ... Anthony Campbell - ac@xxxxxxxxxxxxxxxx ...
    (uk.comp.os.linux)
  • Re: DNS project... maybe...
    ... if someone conects to you via ssh ... You will need to open the port 22 on your firewall/router ... provides rudimentary dns services for you. ... But it does require me to stay on top of security updates ...
    (comp.os.linux.questions)
  • Re: [Fedora] Seeing input on Securing the Linux system from intrusions and attacks.
    ... links to great sites focused on security ... ssh to access ssh (give no reply to those who knock on the normal port ... I thought my user password was safe because no one can get to that. ...
    (Fedora)