Derek Jones

Stage. Travel. Photos. Thoughts...

selfhosting

A laypersons guide to SSH security

Image description

How to secure your SSH connections

A simple layperson… yes, that’s me, I'm afraid. I’m not a coder, or a network wizard, or an expert scripter. I'm a hobbyist who enjoys tinkering with computers. I’m just a guy who hosts his own stuff from home using a tool that makes that journey so easy. The tool I use is Yunohost. They have put together a nice system that, for people like me, is easy to deploy, use and maintain. They have an excellent catalogue of applications, which are all packaged for use on their platform. This means that the security of the apps is already taken into account, allowing you to install with peace of mind. There are other systems around that do similar, but I have found the Yunohost system to be the better one (FWIW). I make a monthly contribution because it's worth it. You can see my system and what's in it here.

That's the advert done with, now to the reason for this article.

Despite the excellent YNH offer, the excellent catalogue of apps, and ease of use, sometimes you do have to get your hands dirty, and when I say that, I mean using a terminal application and something called SSH to log in to your system and do admin 'stuff' or even more terrifying, fixes... Gulp!

What does SSH mean?

It means Secure SHell (or Secure Socket Shell). It is a collection of utilities that provides encryption, key authentication and strong passwords. SSH is used by us users (admins) to manage our systems and applications remotely, enabling us to log in over a network, remotely or locally, to execute commands and to fix and add things, move files from one place to another, and so on. It's a bit more technical than that, obviously, but that's the basics of it.

Something you should probably do first... Maybe. If you want. I would!

Once you have successfully installed and tested your new Yunohsot system, change the SSH port number. SSH is one of the most scanned ports used by hackers to get into your system. The default port is 22, so change it to something else; anything above 1024 should do the trick. So, using terminal and log in to your system with:

ssh username@123.123.123.123 (the username you used to install YNH, the numbers are your server's IP address).

Hit return and enter your password; this is the one you set when you installed YNH in the first place.

Now type in, or copy:

yunohost settings set security.ssh.ssh_port -v 1234

The 1234 should be your chosen port number above 1024 that you want to use. If you really fancy getting your hands really dirty, you could do the following in terminal:

sudo nano /etc/ssh/sshd_config

This will open up a Linux editor called Nano, and you will have the SSH configuration file in front of you. Scroll down to the line that says #port 22. Delete the hash symbol (the comment) and enter a new port number so it will now say port 1234, the number of the port that you want to use. This method will require a restart of the SSH service, which you can do in the YNH GUI under Services, or while you are here in terminal type:

sudo systemctl restart ssh

However, if you want to keep things nice and simple, use the command yunohost settings set security.ssh.ssh_port -v 1234, which will keep things in order for you.

Some folk will probably say don't bother changing the port number if SSH is not forwarded on your router to your server, but whatever, I'd change it. You do have to remember the port number, though, when entering some commands that require SSH access, like logging in using terminal in the future. You will need to enter the port number prefixed with a -p. We shall see that later.

So once you have changed your port number and restarted the SSH service, instead of logging in with:

ssh username@123.123.123.123, you will now need, ssh -p1234 username@123.123.123.123

To be or not to be...

Ask yourself this question. Do I want to access my system via SSH inside my local network, outside or both? Don't be afraid to access your system outside of your network; you just have to think about a few extra things to stay secure.

Here is a little cut-out and keep table of your options and what you should consider.

ACCESS

PORT FORWARDING

ADVANTAGE

DISADVANTAGE

Internal only

Not required

Your SSH port won't be found when scanned by hackers.

If you are away and need to fix something, you can't. Sorry.

External Only

Required

You can do some work on your server. Excellent.

Your SSH port number (22) is exposed. Good job, you changed it!

Personally, I want both. So I have a Raspberry Pi with a VPN server installed on it. Many places on the internet tell you how to install a vpn on a Pi and how to include it in your network. Once you have installed the vpn server, you only need a vpn client on your device(s). I use WireGuard on all my devices. If I need to do anything, I just fire up Wireguard, make the connection and open a terminal app and log in using my username and password. Everything appears to me as local, as if I am in my living room or kitchen with a cup of tea by using: ssh -p1234 username@123.123.123.123 (Yes, I changed my port number, so I need to remember the -p switch and use -p1234.

Can I be even more secure?

So far, we have been using SSH using a username and password for authentication, whether we are local or remote. (IP address when local, domain names when we are remote, unless you are using a vpn, then it's local.) There is another level of security I have recently tried called Key Authentication. This is a process of generating encrypted public and private keys, one on the server and one on a device that you will use to access your server. When you attempt to log in, if the keys match, you get in; if they don't match, you can't. If you lose your device or it gets corrupted, then you are effectively locked out of your server, but there are backdoor ways to get back in and reset. You'll need a monitor and keyboard connected to your server. More on that later.

So let's assume that for this example, we want to access our server, called myserver.com, remotely. We have changed the default port number for SSH from 22 to 1234. We have configured our modem's firewall to port forward SSH 1234 to our server's IP address. When we open a terminal in the coffee shop down the road and type:

ssh -p1234 username@myserver.com

Followed by the password. We now have our server in front of us, and we can do some stuff. But what happens if we are snooped on, wifi sniffed, our credentials compromised or found, whatever...? We can set up our device or devices to use an authentication key so that only those devices can access the server. Let's just do one device for now, a MacBook Pro 16.

Open up a terminal session on your MacBook Pro 16 (other computer manufacturers and models are available!) and type the following:

ssh-keygen -t ed25519 -C device_name Here the device name will be macbook16 so:

ssh-keygen -t ed25519 -C macbook16

When you hit enter, you will be given a path name to save to. Accept it as it is, just hit return. You will then be asked for a passphrase, which is just another word for a password. You could just not bother and hit return, but I'd advise you to set one. Make it a good one, a long one, so long you need a password manager app to remember it. Again, some may say you don't need it, but what if someone gets a hold of your device? You will be asked to confirm the passphrase.

Your device will now create two keys, a private one and a public one. We need to copy the public keys to our home server with:

ssh-copy-id -i ~/.ssh/id_ed25519.pub username@myserver.com

Hit return. Oh no, you got a connection error. Hmmm. This command assumes that you are using port 22 for SSH, but we have changed it to 1234. Remember that little -p switch? So now type:

ssh-copy-id -i -p1234 ~/.ssh/id_ed25519.pub username@myserver.com

That's it. Done. Close all your terminal sessions, and log in using,

ssh -p1234 username@myserver.com 

Now you will be asked for your passphrase and not your password. Enter your passphrase. If you get the server prompt, then the key authorisation for your MacBook Pro 16 to your server works. You still have the old method of logging in using your username and password. We can turn that off so that you can only use key authentication on your MacBook Pro. To turn this off, again, whilst in terminal type:

sudo nano /etc/ssh/sshd_config

You will have probably been here before if you chose to change your SSH port using Nano, the Linux text editor. Scroll down the open file and find the lines:

PasswordAuthentication yes and edit this line by changing the yes to a... no, so now it will read:

PasswordAuthentication no

Also, change the line:

PermitRootLogin yes to no

Save the file and exit. Again, you will have to restart the SSH service through the web GUI, or while you are in terminal type:

sudo systemctl restart ssh

You are all done. Access to your server at home can only be done with your MacBook, remotely. However, can you see the problem here? Your MacBook craps out, breaks down, gets stolen, whatever... You can no longer access your server. You have turned off the username/password method of getting access in favour of key authentication. What do you do?

If you want to use key authentication only, then just repeat the above steps on other devices, iPhone, iPads, Android, and just change the "device name" to the device name you are adding. You can use one key for all, but don't, just don't do it. Create a key for each device. It's safer and easier. You will be able to get access if you lose one device by using another.

Help...! I can't log in. My server is 'bricked"

So you have lost all your devices, or the key authentication process is just not authenticating anymore. How do we get access to our server and reset back to logging in using a username and password? This is where, when you get back home, you get the keyboard and monitor out. Plug them in and log in as admin locally, and let's turn back on password authentication with:

sudo nano /etc/ssh/sshd_config and change the lines:

PasswordAuthentication yes 

PasswordAuthentication yes

Restart the SSH service with:

sudo systemctl restart ssh

Now you can reset or recopy your keys from your device as we did above. Of course, if you are using a VPS, then you will have to use the provider's console to do the above.

Basic Security Tips

These are not in any order or preference, so take your pick of either or a combination of:

  • The easiest one is to use SSH locally only, take the port off your router, so no port forwarding.
  • Change the port number for SSH.
  • Recycle passwords every few months.
  • Use key authentication on more than one device.
  • Keep your admin group small.
  • Use a VPN on a Pi to log in remotely.

There are probably more things you can do, like check that Fail2ban is working and so on.

I told you that this was a layman's guide, so I might have got one or two things wrong. Please let me know. I'm trying to make this easy for those of us who have had difficulty understanding and securing SSH and using Key Authentication.

There is, however, excellent documentation on SSH and key authentication at the Yunohost website, which, of course, should be the definitive guide rather than my 'Janet & John", ABC version. I only write from experience, trial and error.

dj.

Instagram or Pixelfed?

After using both, which one do I prefer?

Instagram: Probably the world's most popular photo-sharing platform?

When Instagram came on the scene back in late 2010, I was a big user of the platform as an amateur photographer. I didn't boast a huge following, but the community was great to get involved with. It was easy to find like-minded people and to share your photos, get comments, good and bad, share techniques and so on. The community was large, so it was easy to connect with people; you could get your followers up, which meant more exposure, and the likes soon followed. It was a good place to be as a photographer, amateur or professional, and I was a constant uploader of pictures from my phone and my camera; it was, I hate to say it, addictive sometimes.

As time went on, of course, the tone changed on Instagram, and my enthusiasm shifted. I can't quite put my finger on what or how it changed at the time; it just did. It started to feel like another place, comments started to get "funny", which soon turned into "nasty". People would barge in on your feed with comments not related to the content. Then the ads came, then came Meta, and in my view, they destroyed what Instagram set out to do, and Instagram just became a mini Facebook.

Facebook, never and still don't understand it. Why?

I drifted around other platforms like 500px and Flickr. I'd had an account with both for years. I know these things cost money to put up, but I felt the ever-increasing cost was becoming too much for both 500px and Flickr. Yes, I wanted it cheaper or free!

PixelFed, probably the best behaved photo sharing platform?

As an open source junky, I discovered PixelFed. It was in its infancy but looked promising. Very Instagramish in its presentation and use, but it was decentralised, with better privacy controls, and it felt like a 'proper community', just a bunch of people putting up their work and others liking it and or commenting. It was a small community; it was new after all. I was curious about the whole federated idea or PixelFed, multiple private servers all connected, decentralised and so on, a very interesting concept, so I gave it some time and started posting. It was slow and not very... vibrant. Give it time, Del...

Fast forward a few years, and recently I created a new Instagram account, after binning off my account years ago. I hate it... Sorry, but I do. I found it just full of junk and difficult to connect with. Maybe I've got older, maybe I'm not using it right, maybe it's just not for me, the ads, the constant life hacks, the shouting, the constant '...I'm here, look at me...' feel. Maybe I just need re-educating. It's just a loud, noisy place.

At the same time that I recreated my Instagram account, I dipped back into my PixelFed account, and found that it had changed, but it had changed a lot, it was quicker, stable and the community base had grown, so I started by posting some old photos first, just to see how it went, and to my surprise, it felt like a new home. That sounds a bit crass, I know, but it just felt... nice... Lots of people are showing some fantastic work with a phone or a camera, no noise, no shouting, no ads, just people liking and commenting on other people's pictures, with a good helping of privacy control. A bit like... Instagram was back in 2010! It's all about the data...

Today I'm using PixelFed. I like the style, the feel and the community. Sure, you still get the odd bozzo, but that will always happen. I like PixelFed, and it has, for the moment, become my go-to photo-sharing platform. I like the control, the privacy and the true community spirit of the platform. Long may it thrive

Money, money, money....

It's free...! While I have already bemoaned the cost of the likes of 500px, Flickr and others, it's not just the financial cost. It's your data and privacy cost. If you're going to put photos out on the internet, then you are not being very private in the first place, but at least you can control how your data is analysed and distributed. I do contribute some money to open source apps, it might be small, but it's a contribution, something we should all consider doing once in a while. Again, it doesn't have to be much.

A BIG SHOUT OUT!!!!

To the folks who make PixelFed and other good open source software available to us all. Thank you!

See my PixelFed profile.

Why self host...?

Why bother?

There are many reasons. For me, it's a hobby, but it might be different for you, of course. I have also become more resistant over time to letting big corporations be responsible for my data. How many times have you heard that such and such has been hacked? Of course, that can happen to anyone self-hosting as well, but at least I will be responsible for any loss. I can also react quicker and shut it all off, and as long as I have a backup, I can rebuild and be up and running again quite quickly.

So, what do I self-host, and how did it come about?

Back in the day, my email was hosted by FastMail and my files by SugarSync. Ah, those were the days. To be fair to them both, they were never hacked while I was with them, but I quite liked the idea of having everything under my control, files, photos and music, but how? I'd heard and seen a demo of OwnCloud. It was a file-sharing and sync server; it was in its infancy at the time and a pain to get and to keep going. 

I invested in a QNAP NAS, a small but slow one to start with. It was quite good and did more or less what I needed. I could store and share my own files and photos, and music, but my email was still with FastMail. The slow speed of the server started to become a pain, so I upgraded to a larger, faster model. Now we were talking. It was a much better experience. I also had a slow Raspberry Pi that ran the file sharing and application suite, Nextcloud. Again, Nextcloud was a bit troublesome, but it soon made rapid improvements. It’s just that the Pi could not keep up with the demand of Nextcloud, and I found it offline more than on.

While on a trip, I was searching the internet for self-hosting solutions and discovered, by accident, a community of people that had put together a self-hosting server called Yunohost. A bit of an odd name, but it had a good application catalogue that included Nextcloud for files, Piwigo for photos and Navidrome for music. 

My new fast QNAP NAS came with an app called Virtualisation Station, which allowed you to install a full operating system in its own container. Interesting, I thought, and installed Yunohost into a container and set it up to speak to the outside world. It was a eureka moment. It was quick and very stable, and very soon I had Nextcloud working and usable. Next, I moved my website over, which was easy to do; all I had to do now was move my email over. A scary thought indeed. 

With the fantastic help of the Yunohost community and some fiddling with DNS records at my domain registrar, I was off and running. Now I had everything I needed, working from a small server in my garage at home. Excellent… until… I was hacked! There were a bunch of hackers that had been targeting QNAP NAS machines online, and mine was one of them. I was locked out with ransomware. My blood turned cold when I logged into the server and saw the message. Fortunately, the container that my new test server was in was isolated from the ransomware that had changed the file name of every file on the system, but the isolated server within the server was still clean, and I had a backup, but everything else was gone; the backup was 4 weeks out of date. No way was I going to pay £530 in bitcoin to release my files. Instead, I wiped the QNAP NAS clean and sold it. I couldn’t wait to get it out of the house; never again will I buy a QNAP product.

The next day, I bought a small form factor desktop computer on Amazon, installed Yunohost and restored from my backup. Since that day, five years ago, I have had a flawless system; only once was I hacked with some porn on my photo server, and that was my fault and was quickly fixed.

Pros and Cons

So what are the pros of self-hosting?

  • The obvious one is that you are in control of your data.
  • If you do the right thing, your data will be safe.
  • Cheaper. Online service providers are charging more and more each year to host your stuff. Sure, there are free services, but they are not really free.

...and the cons?

  • Power outages that are out of your control. UPS? Backup?
  • You must keep the system up to date to avoid security breaches.
  • Keep the server apps up to date.
  • Don’t forget to backup.
    • If the system fails, you will need to recover from it.
    • If you are hacked, you will need to recover from it. Make sure that the apps are set up correctly and understand permissions. Again, porn was dumped on my photo server due to bad permissions. I’ve learnt since!!!
  • You’ll need an understanding of how the internet works; things like DNS and DNS records will suddenly become a new thing for you to learn and understand.

Is it really worth it?

If you have the time, do some preliminary research and try a bit of trial and error work, then yes, it is worth it. My server runs smoothly, is backed up every day, and is updated weekly. I have several websites on my server, including photo galleries, file storage and sharing, as well as a large music library. Sure, I have faced a few ups and downs, but with some reading and help from the community, I have been up and running within a couple of hours. You will also gain a good understanding of how networks and the internet work. It's very rewarding to know that everything is under your control and knowledge. You don't need to know too much, but the more you learn, the more beneficial it is to keep your homelab server running.

My Yunohost Homelab

Have a look at my set-up at digitalcarnage.co.uk, and if you have any questions, do reach out 

dj