View unanswered posts    View active topics

All times are UTC - 6 hours





Post new topic Reply to topic  [ 29 posts ] 
Go to page 1, 2  Next

Print view Previous topic   Next topic  
Author Message
Search for:
PostPosted: Wed Jul 26, 2006 6:31 pm 
Offline
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location: Los Angeles
Hi all,
I was thinking of putting this on the wiki, but I thought I'd post it here first to be scrutinized and corrected if need be...

---

How to Make More Secure Connections with SSH/PuTTY

Notice how I said more secure? The best way to secure your box is to not have SSH access outside your local network. Assuming your local network has it security features enabled. :) You've now been warned.

If you're like me and want to have access to your MythTV box from outside your home network (i.e. from work, school, etc.) you need to take some security precautions. Here I intend to walk you through some security measures to make your exposed MythTV box safer.

- Assuming you followed the above directions (err, wiki directions for accessing your MythTV box from Windows), you already have PuTTY and you can access your MythTV box from inside your network. You'll also need puttygen.exe for this exercise.

- Set up your firewall/router to allow data to pass on port 22, the standard SSH port. Each router has a little different config, so that's not covered here. Try http://www.google.com

- If you have a Dynamic IP address, you'll need to set up DNS updater client to keep traffic flowing after your IP address changes. Again, beyond the scope of this document, but you may try http://www.dyndns.com for an account and update client programs.

Configuring Public-Key Authentication:

As configured currently, your SSH server on your MythTV box needs just a valid username and password to gain access. Since it's common knowledge what the mythtv username and password is, we want to strengthen the authentication process. This is where Public-Key Authentication comes in. In the simplest terms, PKA matches two paired encrypted sets of data to validate the user. One key resides on your (remote) MythTV box (and should NEVER be exposed to anyone) and the other resides on the (local) Windows machine.

- On your MythTV box, you should tweak your /etc/ssh/sshd_config file to help with security.
You'll need to be root to make changes to this file. Ensure the following lines in your sshd_config file (1) exist and (2) are set this way:
Code:
Port 22
Protocol 2
PermitRootLogin no
StrictModes yes
RSAAuthentication no
PubkeyAuthentication yes
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts yes
PermitEmptyPassword no
ChallengeResponseAuthentication no
PasswordAuthentication no
AuthorizedKeysFile      %h/.ssh/authorized_keys

They do not need to be grouped together like this. Just make sure they're in there. Your config file probably has other options in there, too. They should be ok. Save your changes and restart the SSH server.
Code:
# /etc/init.d/ssh restart

- Drop back down to your normal mythtv user and issue this command to create a public and private-key pair. The -t switch is mandatory and it specifies the type of encryption and the -b switch specifies the strength of the encryption, in this case 4096 bit encryption. The lowest encryption I would use is 1024 bit. The higher the encryption, the harder it would be to crack. The -C switch is for you to give this key a name. It's helpful if you have multiple keys (one for Home, one for Work, etc.)
Code:
$ ssh-keygen -t rsa -b 4096 -C DescriptiveNameOfYourChoice

You will be prompted for a location to save these keys. Default is /home/mythtv/.ssh/ Accept it and press enter.

You are then prompted for a passphrase. Enter something you'll remember. Try to mix in some numbers and symbols. It's good password/passphrase practice. You'll need this everytime you login to your MythTV box via SSH. Note: that you can just press enter for a blank passphrase, but that defeats the purpose of beefing up our SSH security. DON'T LEAVE THE PASSPHRASE BLANK! You will then be told that your keys have been saved in the location you specified above and a fingerprint will be displayed.

- Enter the .ssh directory.
Code:
$ cd /home/mythtv/.ssh/

and copy the id_rsa.pub key into a file called authorized_keys.
Code:
cp id_rsa.pub authorized_keys

BE SURE YOU cp THE RIGHT FILE! Note: if you're creating multiple keys... After your authorized_keys file exists, use the cat command to add the additional keys to authorized_keys.
Code:
$ cat id_rsa2.pub >> authorized_keys

Copy the id_rsa file to your Windows machine (via floppy disk, SAMBA, whatever you'd like.)

- On the Windows side, fire up puttygen.exe and click on the Load button to load an existing private key. Find your id_rsa file you brought over, select open and enter your passphrase. The default Key Comment is "imported-openssh-key." You can change this to the comment you added with the -C switch above. Now, press Save Private Key and you'll be prompted to save the id_rsa.ppk file somewhere on your Windows machine.

- Fire up PuTTY and load your session settings that you use for SSH access to your MythTV box. Under the SSH tree on the left, select Auth. Specify the path to the id_rsa.ppk file you saved in the previous step. Click on Session from the tree on the left and press the Save button to save the change you just made. Click on Open and login as mythtv You should then see:
Code:
Authenticating with public key "Work"
Passphrase for key "Work":

Enter your passphrase and you're good to go! Try to su to root. Now, log out of root by typing exit and type exit again to quit. Re-launch PuTTY and load your settings and press Open. Instead of logging in with the user mythtv, try root. If everything worked right, your terminal window should have slammed shut on you. You cannot login as root anymore and no hacker can either. If no key exists for a user and/or the wrong/no key is referenced in PuTTY, they will not be able to login.


Reference: http://linux-sxs.org/networking/openssh.putty.html
http://www.linuxjournal.com/article/6602

_________________
Mike
My Hardware Profile


Last edited by mihanson on Thu Jul 27, 2006 2:41 pm, edited 1 time in total.


Top
 Profile  
 
 Post subject:
PostPosted: Thu Jul 27, 2006 6:05 am 
Offline
Joined: Fri Apr 02, 2004 10:08 am
Posts: 1637
Location: Virginia, USA
I think this info looks very good and seems correct to me, beyond a few typos ("don't LEAVE the passphrase blank!" and "enter your passphrase and you're good to go.")

Same goes for your other one too. I'd say to go ahead and post them on the wiki, so that if there are any changes they can be made right to the page rather than here in the forums.


Top
 Profile  
 
 Post subject:
PostPosted: Thu Jul 27, 2006 2:42 pm 
Offline
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location: Los Angeles
Typos? What typos? Just kidding. Thanks for that. I fixed them. I'll give it a few more days to see if any other eyeballs catch anything erroneous. Thanks! :D

_________________
Mike
My Hardware Profile


Top
 Profile  
 
 Post subject: SSH/Tunneling
PostPosted: Thu Jul 27, 2006 6:53 pm 
Offline
Joined: Sat Nov 13, 2004 2:24 pm
Posts: 59
I haven't looked into this to far, but is there a way to tunnel Http/Session through ssh? so I'm on a windows computer:

windowsbox->router->internet->home router->mythbox web?

I'm sure it's easy, but my situation is a little more complicated, because at work, as an end-user, our workstations are complety locked down.. So I can't install anything.. so something like pptp is out of the question.. but putty will work nicely.. I'm running dd-wrt on my WRT54G.. So I know i have most of the pieces.. Suggestions?

prosonik


Top
 Profile  
 
 Post subject:
PostPosted: Thu Jul 27, 2006 7:29 pm 
Offline
Joined: Tue Nov 22, 2005 7:57 pm
Posts: 295
Location: Auckland, New Zealand
You mean like his other post:
http://mysettopbox.tv/phpBB2/viewtopic.php?t=10967
:-)

_________________
HP VL400 (PIII 866), Skystar2 2.6D, PVR350, Nvidia FX5200, 384MB, 200GB, KnoppMyth R5.5


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jul 31, 2006 11:49 am 
Offline
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location: Los Angeles
This HowTo was added to the KnoppMyth Wiki. If you have any changes/additions, please do it on the Wiki.

http://www.knoppmythwiki.org/index.php?page=RemoteAccessfromWindows

_________________
Mike
My Hardware Profile


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 12, 2007 11:27 am 
Offline
Joined: Thu Mar 09, 2006 6:54 pm
Posts: 34
Thanks to mihanson and everyone else for the series of helpful posts here.

Instead of starting a new thread which is related, I resurrected this older thread to consolidate information.


Though following the steps outlined from the links in this thread, I can securely access mythweb via ssh tunnel. Everything works great.

As prosonik posted long ago, I want to enable access from outside my internal network to my mythweb so that users can download recorded shows. I have searched and been unable to find how to do this.

Given that I have followed the steps successfully listed in this thread, how can I configure the system to accept outside users to my mythweb?

I am using my XP machine as a gateway atm. I would prefer to keep it this way, but am open to changing it if it is necessary to allow semi-secure access to mythweb.

Release: R5E50
Cable Modem: SB5100


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 12, 2007 12:01 pm 
Offline
Joined: Sat Dec 24, 2005 11:33 am
Posts: 400
Location: Kitsap Peninsula, Wa., United States
Once I had the first portion done, I had to open specific ports on my router to allow access to specific locations/ports on my mythbox. A good practice is to forward common inet ports like 80(websites) to other ports you define. This allowed me to protect the internal net and only allow access to specifc locations.

That is searchable on goolge for your specific hardware. From what i remember it is possible with to other box acting as a Gateway device, but you would again have to search that.

Another note, unless you have a domain and static IP address from your provider you are going to need some form of dynamic dns service like dyndns.org. They do that for free to home users.

Once you get it all setup, I would consider running a port scan back at yourself to ensure you have developed a profile/presence that provides minimal exposure to the outside world.

YMMV!

Again there are a lot of different schools out there on what works best and what doesn't.. Anytime you open the doors you are exposing your network and yourself to risk.

I hope that helps.

_________________
KnoppMyth R5.5
MBE: AMD64 3400+, K8N Neo4 Plat., 1Gig, Asus Extreme N6200, 320G pata, 2x320Gsata, 750Gsata, PVR-150 Retail w/Blaster
SBE: AMD XP2000, GA 7ZMMH, 1 Gig, XFX 256M 6200, 20 Gig, PVR-150 Retail w/Blaster
SBE: AMD Dur1800, 512M, PVR500


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 12, 2007 12:42 pm 
Offline
Joined: Thu Mar 09, 2006 6:54 pm
Posts: 34
Thanks for your response, bigbro!

My SB5100 is simply a gateway itself - no router included. So all ports are open (if I understand correctly) unless they are closed via my software firewall (zonealarm).

Already been to dyndns.org for their dynamic dns service. The ip that it detects seems to be my modem (69.255.56.xxx). This ip (and the dyndns address I set up) simply brings me to a motorola login screen which I do not have the username or password to (tried 'admin' and various things suggested for other motorola prodects). This screen is separate from the internal address that I can use to see (not change) the modem info.

Do I need to use a different ip for my dyndns account?

Should I use another piece of software that can route traffic to the mythbox?

Thanks again, everyone!


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 12, 2007 2:50 pm 
Offline
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location: Los Angeles
Fidelis wrote:
Already been to dyndns.org for their dynamic dns service. The ip that it detects seems to be my modem (69.255.56.xxx). This ip (and the dyndns address I set up) simply brings me to a motorola login screen which I do not have the username or password to (tried 'admin' and various things suggested for other motorola prodects). This screen is separate from the internal address that I can use to see (not change) the modem info.

Do I need to use a different ip for my dyndns account?

Should I use another piece of software that can route traffic to the mythbox?

Thanks again, everyone!


Check my other post on a similar topic to this one. Pay attention to the port forwarding section.

_________________
Mike
My Hardware Profile


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 12, 2007 3:28 pm 
Offline
Joined: Thu Mar 09, 2006 6:54 pm
Posts: 34
mihanson, since a link to that page was already on this thread, I read and followed that already. That did not answer my question. Perhaps I am not understanding you meaning, or you are missing mine. Let me clarify.

When I use my dyndns address in putty, it does connect, but does not accept any sort of login - "Server refused our key."

When I use my internal ip address in putty, it accepts the key I made without issue. I then can use firefox to access mythweb.

Perhaps I am missing a setting in putty or somewhere else. I will go over your detailed instructions again - though I've been checking different steps for about 3 hours.

Danke!


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 12, 2007 3:39 pm 
Offline
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location: Los Angeles
Fidelis wrote:
When I use my dyndns address in putty, it does connect, but does not accept any sort of login - "Server refused our key."

When I use my internal ip address in putty, it accepts the key I made without issue. I then can use firefox to access mythweb.


I see... Are you trying to connect to your MythWeb from a computer inside your home network? The dyndns address will only work from outside your home network. i.e. from the WAN side (your work, school, etc.)

_________________
Mike
My Hardware Profile


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 12, 2007 4:45 pm 
Offline
Joined: Thu Mar 09, 2006 6:54 pm
Posts: 34
mihanson wrote:
I see... Are you trying to connect to your MythWeb from a computer inside your home network?


Nope, can do that just fine any number of ways.

Quote:
The dyndns address will only work from outside your home network. i.e. from the WAN side (your work, school, etc.)


That is good to know. But even using the dyndns address from within the network, I can connect. to the box this way - I just get the "server refused our key" msg. Just can't connect from outside.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 12, 2007 5:48 pm 
Offline
Joined: Sat Dec 24, 2005 11:33 am
Posts: 400
Location: Kitsap Peninsula, Wa., United States
First< This is probably way off topic and might be best moved to a different thread here.

I run a router with builtin firewall behind my DSL modem.
The DSL modem had minimal configuraiton by default it would not allow me to advertise/host a server to the outside world.

Since I didn't like the modems setup/protection, I installed a router which includes NAT (you have that) and a basic firewall. Then in that firewall you need to either Host a server (forward the mythbox server Address) to the DMZ or set the firewall rules to forward(advertise) specific ports like http uses port 80, to the outside world.
Some people opt to just use portforwarding to advertise a completely differnet port as mythbox:80 i.e. mymythbox.toys: 8125 (Outside) forwards to 192.168.xx.xxx:80(internal network)

Once this is done you should be able to see that server when you navigate your browser even from the inside (protected) network through your dynamic dns serve name to the outside presence. When I do that I see the same page as my internal link only it is my http://dyndns addess:port then of course I can get to the various services such as mythweb via password.

Secure Shell should work the same way in forwarding ports throgh your router, but it is not good practice to use the common port rather use something that forwards to it in your network.

As far as https acces like in Webmin, a lot of ISP's block that, yours may not so that is a mixed bag.

Do understand there are numerous security risks on opening a firewall or and internet connection sharing software such as your implementation.

There are some good "security wise" tutorials out there for opening your network. Your capability will be limited by the tools in hand.

Be careful, a little bit of precaution and being a little paranoid can be very good prevention.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 12, 2007 6:32 pm 
Offline
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location: Los Angeles
Fidelis wrote:
That is good to know. But even using the dyndns address from within the network, I can connect. to the box this way - I just get the "server refused our key" msg. Just can't connect from outside.


I'm kind of confused... You can connect to your MythWeb from inside your network. If you go to another location, i.e. office, school, etc, you cannot connect to your MythWeb? (Server Refused Our Key)

Sorry, if you've tried these things, but I have to ask . . .

1) Did you use puttygen.exe on your Windows machine to cnvert the key to a format putty recognizes?

2) Is putty configured to point to the correct key file?

3) On your MythTV box, does your authorized_keys file have only one key per line?

4) What are the permissions of your .ssh directory? Here's mine:
Code:
drwx------  2 mythtv mythtv    4096 Jan 22 14:01 .ssh

_________________
Mike
My Hardware Profile


Top
 Profile  
 

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 29 posts ] 
Go to page 1, 2  Next



All times are UTC - 6 hours




Who is online

Users browsing this forum: No registered users and 19 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group

Theme Created By ceyhansuyu