30 November 2009

Build a secure home network using SSH

This Howto explains how to build a local network where communication between machines takes place over the Secure Shell Protocol. This is not only more secure (especially over wireless) but also enables you to conveniently get a remote shell on every machine.

I'm assuming the machines are connected to each other via a dedicated hardware router, but network topology does not really matter as long as all machines can see each other. Also I'm assuming all machines are on the same network segment, i.e. you have a typical small-scale home network.

First, install the ssh metapackage on the machines you want to connect. On Debian based systems, this will get the OpenSSH client, the OpenSSH server and the blacklist of insecure keys. All are required for the setup to function properly.

Next, we will add some basic network security. On the machines you want to connect make sure that /etc/hosts.deny contains the line


This blocks all inetd controlled services (most stuff except HTTP and Samba) coming from all hosts by default. In /etc/hosts.allow add:


This allows all services running on your local network (i.e. all hosts whose names don't contain a dot) to access the local host.

If you are paranoid and only want to allow ssh, instead use

sshd: LOCAL

You will likely not be running a DNS server on your network, so you will have to set the hostnames on each machine. The top of each /etc/hosts file should contain something like localhost nameofthismachine

Where nameofthismachine is the desired hostname for the local computer. In the same file, add the IP addresses and hostnames of all other machines that machine should be able to connect to, for example anothermachine yetanothermachine

You can find out the network IP address of a box either by running ifconfig on that machine or logging into the router and looking at the logs.

Changes to the hosts* files should come into effect immediately, but the router may be slow to pick up hostname changes, so it is a good idea to power cycle it now to renew the DHCP leases and update the routing table.

Now, at one of the boxes, try

ssh username@someotherbox

and if ssh can connect to someotherbox, you are asked for username's login password. Now you can work with that shell like you were sitting in front of the other computer. You can also start GUI programs when adding the -X switch (which enables X11 forwarding). For better performance but less local security you can add -Y to enable trusted X11 forwarding.

ssh -X -Y username@someotherbox

Then you can start xeyes or some other graphical app for testing. Depending on the processing power of your router and link speed, even watching DVDs over the SSH connection may work well.

Ok, what about transferring files? You have several options here. When working on a shell with Midnight Commander, you can establish a shell connection via the Left/Right menus. In KDE, Dolphin/Konqueror and file dialogs understand the fish:// protocol (example: fish://username@someotherbox). Similarly, you can use ssh:// in many Gnome applications. You can also mount the remote computer's filesystem using sshfs.

If you have a network service running on one of the machines, like a streaming server, you may want to tunnel the data through SSH too. To tunnel port 6666, with the local machine at the receiving end, do

ssh -R 6666:localhost:6666 username@server

Hopefully, this article has helped you secure your network a bit.

0 Kommentare:

Post a Comment