How to secure an open port for SSH
Solution 1:
i understand that I need to port forward in order to be able to access it, but then I have an open port and it is my understanding that it is more or less like an open door in the network, is this the case and do I need to worry about such a thing or is it more like assign the port and tell no one
Ports are assigned to individual processes--a process will listen on an IP and port, and any traffic received on that IP+port (that combination is called a socket) will go to that process.
So a port is an "open door" to a process.
It's not an open door into the network unless the process allows that access or gets tricked into allowing that access.
In your case, the process is (probably OpenSSH's) sshd
- which does allow remote login, remote file access, and can potentially grant an attacker a lot of power over your system.
Ways to prevent your processes from doing more than they should if an attacker does something bad:
-
Is the process running with the least privilege possible? (sshd has to run as root because it allows login - so unfortunately you can't do much there)
-
Are you running the latest version/applying all security patches (make sure OpenSSH is updated and enable automatic updates)
-
Is the process configured securely? (for example, you should disallow root login from
sshd.conf
and consider using keys instead of passwords) -
Are you monitoring the process to check for unusual activity (keep an eye on
/var/log/auth.log
and consider learning about and setting upfail2ban
). -
Are your passwords to login to the system secure and regularly changed?
Furthermore for sshd
the following is a good idea:
-
Both SSH, as well as the common implementation OpenSSH, have been around a while and are extensively used. OpenSSH is developed by the OpenBSD project which has an excellent reputation for security. You can totally make it insecure if you don't configure it right, so study the configuration options.
-
Disable X forwarding and other features if not needed. You'll need to study all the options in the
sshd.conf
file. -
Disable root login via password - it's best to disable root login entirely.
-
If you leave it running on the default port 22, you'll get a lot of automated password guesses by random IPs. Use a different port. If someone says this is "security by obscurity" - that's normally good advice but you're still better off using a different port.
-
Use keys instead of passwords. Most if not all SFTP/SCP clients will support keys.