2

I have an SSH installed on my Ubuntu server. I can log into it from my Ubuntu desktop, using a user and a password. I can only access SSH from my LAN, since the SSH port is not forwarded on my router. Do I need to set up an RSA key for a setup like this? From what I understand the SSH is secure since it cannot be accessed from the Internet.

On a side note, what other things should I double check for security? I have Apache, MySQL and ProFTPD running.

Improve this question

5 Answers 5

Reset to default
7

If your sure that only authorised users can get access to your LAN, then a username and password should suffice. Nothing is ever going to be completely secure, you need to ask yourself, is it good enough?

If your server is only accesible via your LAN, and your not worried about people gaining access to it, by WiFi hacks, or physical network access, then username/password authentication is probabley good enough.

Improve this answer
10

As a side note, it's very, very easy to setup passwordless logins with SSH, so you might want to try that:

$ ssh-keygen -t rsa # if you don't already have your key pair $ ssh-copy-id -i ~/.ssh/id_rsa.pub myuser@myserver

And then you wont be asked for a password each time you login to your server :)

Improve this answer
2
  • Seconded. Take the few minutes to setup SSH keys and you'll love live even more. pkeck.myweb.uga.edu/ssh Commented May 9, 2009 at 17:20
  • 2
    I use keys as well, but I always use them with passwords, and use keychain (on Linux) or pageant (on Windows) to cache the password for me. Commented May 10, 2009 at 7:46
3

Setup keys with passwords. Then use keychain, the only time you will ever have to enter passwords will be after a reboot. All the security of passwords, all the convenience of keys.

Improve this answer
2

I don't mind entering a password for SSH. For added security however, I'd recommend enabling the Ubuntu Firewall ufw, which is installed but disabled on Jaunty by default. It's easy to enable and configure:

sudo ufw enable

EDIT: Don't do this first if you're connecting remotely or you'll lock yourself out! It's safer to enable last once you're sure all your rules are in place. See Olaf's comment below.

Default block everything

sudo ufw default deny

Allow TCP on prt 22 for SSH:

sudo ufw allow 22/tcp

Delete this rule (if necessary down the road):

sudo ufw delete allow 22/tcp

In addition to port 22, you'll want to allow traffic to port 3306 for MySQL, 80 for Apache, and 20 & 21 by default for ProFTPD.

You can check your rules easily too:

sudo ufw status

Lastly, you can create more fine-grained rules to specific hosts or subnets:

ufw allow proto tcp from 192.168.0.0/24 to 192.168.0.1 port 22

After you configure, disable and re-enable ufw to apply.

Improve this answer
2
  • 1
    wow - make that from a distance (e.g. over ssh) and you're locked out :) ... make the default settings and allow ssh (22/tcp) before you enable the firewall. What I don't like with ufw is that the status is not visible (with ufw status) when the firewall is not enabled, so configuring this from a distance is always a bit risky. I usually setup a cron script to disable the firewall every 5 minutes while I change the settings or make sure to have an alternative way in without having to run... Commented May 11, 2009 at 19:58
  • Good point, I'll edit accordingly -- I usually run sudo ufw disable first and sudo ufw enable last for just this reason. However, I also really like the idea of the cron script to fire every 5 minutes while you're tinkering just in case! Commented May 11, 2009 at 20:40
0

Do you need to use keys? No. But it sure becomes a lot more convenient to use them once you have more then one server, or if you ever have to script some kind task that will require ssh access.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.