Good SSH w/ private key setup guide for Noobs

[AleQQ]

I have a windows 8.1 desktop and a FreeNAS server in the other room. I am going to buy a laptop soon and would like to be able to remote into the GUI an put out fires or edit settings on the FreeNAS box if I need to.

Via lots of Googling, I found this awesome KB article about how to set up the Windows side of things: http://www.freenaskb.info/kb/?View=entry&EntryID=190

However, I haven't yet found a very good comprehensive guide for beginners on how to really lock down SSH authentication. I know that I can read through the manuals and bumble through the GUI and shell to get something set up and working. I'm not trying to be lazy, I'm simply being very security-aware and I know that with my limited knowledge on the general subject I would probably leave inadvertent holes all over my system.

Has anyone tracked down a good How-To for making sure the FreeNAS side of the SSH equation is as secure as possible?

Or am I really just barking up the wrong tree and should invest in some VPN hardware?

Thanks, All!

 

[cyberjock]

If you are trying to do this because you want to punch a hole in your firewall straight to your FreeNAS box then your answer is "you are barking up the wrong tree".

If you are doing it for authentication purposes on your LAN (or WAN but via SSH keys) and no other reason then the answer is "there's no guide really, you just have to know what you are doing".

 

[DrKK]

I don't think that's the question, Cyberjock.

He states he wants to get at the *GUI*, through the WAN, which is sensible, if slightly risky.

(OP: If you want to get at the **SSH** command line, that's an *ENTIRELY* different matter, let me know).

Basically, all you have to do is port forward some obscure port (something like 29012 or 44471) in your router to whatever you've designated as the https port for your FreeNAS.

Then, once you're on an obscure port, the odds that anyone knows you have a web server there are pretty close to zero. Then, you just log in normally, and your security threat is whatever the security threat is for the nginx/django FreeNAS interface, which is presumably low.

You don't need to do any fancy footwork with certificates or anything.

 

[danb35]

I think I'd vote for a VPN rather than port forwarding directly to the FreeNAS box. Depending on what the OP has for a router, this may not need any hardware purchases at all.

 

[DrKK]

That's true. The OP, however, seems like he has a pretty minimal setup, and is not yet a really experienced user. It seems unlikely he'll have the right kind of hardware and experience to make an easy go of a VPN.

I just wanted to get him up and running.

 

[danb35]

My point was that the hardware requirements could well be none at all--many consumer routers can be reflashed to dd-wrt, Tomato, or some other firmware that can act as a VPN server. That said, you're right that it's something that will take some experience to set up. As is often the case, there's a trade-off between convenience and security.

 

[DrKK]

My point was that the hardware requirements could well be none at all--many consumer routers can be reflashed to dd-wrt, Tomato, or some other firmware that can act as a VPN server. That said, you're right that it's something that will take some experience to set up. As is often the case, there's a trade-off between convenience and security.

I tend to think people are a little insane about security.

Even mild security precautions (putting your ingress on an obscure high numbered port, and having your system properly configured) will thwart most of the script kiddies and hacking bots. The professional, persistent, hackers? There's nothing you can do anyway to thwart them, in the extremely unlikely case they're interested in anything you have.

 

[Whattteva]

I tend to think people are a little insane about security.

Even mild security precautions (putting your ingress on an obscure high numbered port, and having your system properly configured) will thwart most of the script kiddies and hacking bots. The professional, persistent, hackers? There's nothing you can do anyway to thwart them, in the extremely unlikely case they're interested in anything you have.

This is mostly true in my experience. I used to have hundreds of failed login attempts a day back when I had SSH at port 22. Once I've moved the port number up, I went from hundreds of logins to 0 overnight.
In the unlikely event some uber hacker decides that anything I have is worthy of his time (that could probably be better spent hacking other things with more monetary potential), well... there's not really anything much of value for him.

 

[cyberjock]

Uhh, forwarding the WebGUI on any port is even more dangerous than forwarding the SSH port. The WebGUI is *not* hardened and not designed for someone that has an infinite number of guesses to not compromise your box. DO NOT forward your WebGUI to the internet under *any* circumstances. A simple portscan would find the port open and an http/https server attached.

 

[Whattteva]

Yeah opening WebGUI to the world is probably one of the worst things you could do. A properly setup SSH or VPN with key-based auth is typically what you'd want to do instead.

 

[DrKK]

Fair enough. I don't open my GUI to the world, personally. I do have a certificate-only ssh set up on a high numbered port, and I only open that when I'm going to be gone for several days.

 

[AleQQ]

I love inciting debate :D

I decided that cyberjock is right. I don't know what the heck i'm doing with freenas yet so I'm not going to try and open my server (and possibly the whole network) to malicious peoples.

I ordered a VPN router that i'll probably set up with IPSec and use a private key to authenticate instead of password auth (unless you lot think that SSL is better). In the meantime I will play around with FreeNAS's SSH on a local-basis and see if I can get something working well and secure before I consider punching an unregulated whole in my network. (if I ever do. won't be all that necessary if I have a VPN)

Also, DrKK is right. There's no net-connected tech that enough time, money, and desire can't hack. I'm small fish, though, so I'm really just interested in securing my network to the multitude of automatic attacks that happen all the time. When I had Apache running in a jail with a secure site in it (with nothing worth securing) I used to browse through the access logs and laugh at all of the permission deny errors that the SSL would log. Of course that was before we knew of heartbleed. Once the news broke of that, I decided my web dev. endeavors were failing anyway so I scrapped the whole jail instead of trying to go back through the headache of updating all my packages. It was really only a fruitless hobby anyway.