I think many people may be in my situation. I travel on business with a laptop. And I need secure access to files from the office (which in my case is my home).
The short version of my question:
How can I make SSH/SFTP really secure when only one person needs to connect to the server from one laptop? In this situation, what special steps would make it almost impossible for anyone else to get online access to the server?
A lot more details:
I use Ubuntu Linux on both my laptop (KDE) and my home/office server. Connectivity is not a problem. I can tether to my phone's connection if needed. I need access to a large number of files (around 300 GB). I don't need all of them at once, but I don't know in advance which files I might need. These files contain confidential client info and personal info such as credit card numbers, so they must be secure.
Given this, I don't want store all these files on Dropbox or Amazon AWS, or similar. I couldn't justify that cost anyway (Dropbox don't even publish prices for plans above 100 GB, and security is a concern). However, I am willing to spend some money on a proper solution. A VPN service, for example, might be part of the solution? Or other commercial services? I've heard about PogoPlug, but I don't know if there is a similar service that might address my security concerns?
I could copy all my files to my laptop because it has the space. But then I have to sync between my home computer and my laptop and I found in the past that I'm not very good about doing this. And if my laptop is lost or stolen, my data would be on it. The laptop drive is an SSD and encryption solutions for SSD drives are not good.
Therefore, it seems best to keep all my data on my Linux file server (which is safe at home).
Is that a reasonable conclusion, or is anything connected to the Internet such a risk that I should just copy the data to the laptop (and maybe replace the SSD with an HDD, which reduces battery life and performance)?
I view the risks of losing a laptop to be higher. I am not an obvious hacking target online. My home broadband is cable Internet, and it seems very reliable. So I want to know the best (reasonable) way to securely access my data (from my laptop) while on the road.
I only need to access it from this one computer, although I may connect from either my phone's 3G/4G or via WiFi or some client's broadband, etc. So I won't know in advance which IP address I'll have.
I am leaning toward a solution based on SSH and SFTP (or similar). SSH/SFTP would provided about all the functionality I anticipate needing. I would like to use SFTP and Dolphin to browse and download files. I'll use SSH and the terminal for anything else.
My Linux file server is set up with OpenSSH. I think I have SSH relatively secured. I'm using Denyhosts too. But I want to go several steps further. I want to get the chances that anyone can get into my server as close to zero as possible while still allowing me to get access from the road.
I'm not a sysadmin or programmer or real "superuser". I have to spend most of my time doing other things. I've heard about "port knocking" but I have never used it and I don't know how to implement it (although I'm willing to learn).
I have already read a number of articles with titles such as:
- Top 20 OpenSSH Server Best Security Practices
- 20 Linux Server Hardening Security Tips
- Debian Linux Stop SSH User Hacking / Cracking Attacks with DenyHosts Software
- more…
Those articles mention things like
- Use DenyHosts
- Set the AllowUsers option in /etc/ssh/sshd_config to allow only specific users to connect.
- Disable root logins via SSH.
- Use public key authentication and disallow password login
- and much more.
I am doing all the things above (and some more). But I have not implemented every single thing I've read about. I probably can't do that.
But maybe there is something even better I can do in my situation because I only need access from a single laptop. I'm just one user. My server does not need to be accessible to the general public. Given all these facts, I'm hoping I can get some suggestions here that are within my capability to implement and that leverage these facts to create a great deal better security than general purpose suggestions in the articles above.
One example is port knocking. This seems like a perfect fit for my situation. What else is there along these lines?
Best Answer
There's no such thing as perfect security. Every security option is a trade-off. Personally, I recommend:
/etc/ssh/sshd_configto allow only specific users to connect.Alternatively, I think highly of portable encrypted drives with a PIN-pad, such as the Apricorn Aegis Padlock drives. They're very portable, reasonably secure against most threat models, and the biggest risks are forgetting your PIN or losing the drives while traveling--but in both cases, you still have the original files safely at home.
If you prefer a free alternative, you could use encfs, ecryptfs, or similar to create encrypted mounts to hold your sensitive data. You could lose the data along with the laptop, or someone could tamper with your kernel, bootloader, or hardware to install a keylogger while it's out of your sight, but that doesn't sound like your current threat model, and encrypted mounts should serve your purposes just fine. I don't consider this option quite as secure as the PIN-pad, but it is still a pretty solid choice.
Basically, unless you really feel like you need the services provided by a remote system, I'd recommend just bringing your files in as secure a container as you feel you require. You can then use rsync, conduit, or unison when you get home to synchronize your files, or just copy your updated files back over to your main system.
There really isn't a "one size fits all" answer to your question. Hope this helps.