I have been following various other tutorials and blog posts on setting up a Ubuntu machine as a backup "server" (I'll call it a server, but it's just running Ubuntu desktop) that I push new files to with rsync. Right now, I am able to connect to the server from my laptop using rsync and ssh with an RSA key that I created and no password prompt when my laptop is connected to my home router that the server is also connected to. I would like to be able to send files from my laptop when I am away from home. Some of the tutorials I have looked at had some brief suggestions about security, but they didn't focus on them.
What do I need to do to let my laptop with send files to the server without making it too easy for someone else to hack into the server?
Here is what I have done so far:
-
Ran ssh-keygen and ssh-copy-id to create a key pair for my laptop and server.
-
Created a script on the server to write its public ip address to a file, encrypt the file, and upload to an ftp server I have access to (I know I could sign up for a free dynamic DNS account for this part, but since I have the ftp account and don't really need to make the ip publicly accessible I thought this might be better).
Here are the things I have seen suggested:
-
Port forwarding: I know I need to assign the server a fixed ip address on the router and then tell the router to forward a port or ports to it. Should I just use port 22 or choose a random port and use that?
-
Turn on the firewall (ufw). Will this do anything, or will my router already block everything except the port I want?
-
Run fail2ban.
Are all of those things worth doing? Should I do anything else? Could I set up the server to allow connections with the RSA key only (and not with a password), or will fail2ban provide enough protection against malicious connection attempts? Is it possible to limit the kinds of connections the server allows (e.g. only ssh)?
I hope this isn't too many questions. I am pretty new to Ubuntu (but use the shell and bash scripts on OSX). I don't need to have the absolute most secure set up. I'd like something that is reasonably secure without being so complicated that it could easily break in a way that would be hard for me to fix.
Best Answer
Ok, I think your trying to over architect a bit. SSH is one of the most secure file transfer protocols and if your already rsyncing over ssh then your 90% there. Your router is acting as a basic firewall so you shouldn't need to turn on iptables for a personal backup server.
Stick with port 22. It will make life much easier.
fail2ban is a nice script for public servers, specially where password based logins are enabled. On your server it's going to make more problems then it will fix. I wouldn't recommend running it. Here are my suggestions:
PasswordAuthentication yes
toPasswordAuthentication no
, and make surechallengeresponse
is set tono
. That will bock any one without your private key from logging in at all.Other then that your pretty much covered by default. ssh encrypts traffic and verifies the host/client. There not a lot left after that.