[Discuss] External security Re: one vs many static IP addresses

Rich Braun richb at pioneer.ci.net
Mon Jan 4 12:14:38 EST 2016 

Kent Borg <kentborg at borg.org> noted:
> ... what a pain in the butt to be constantly
> messing with port forwarding, and putting sshd on--what was that port
> number again?

This comment reminded me of a cleanup that I should do myself. Any of you who
are griping about sshd port forwarding probably need to consider taking these
steps too.

My current setup: sshd runs on about 3 external ports, NATed to various
machines. I can access either by an (encrypted) private ssh key, or by
2-factor password auth (my personal pw plus Google Authenticator).

It's 2016 and the whole concept of passwords for user auth is obsolete;
they're hard to remember, don't get changed enough, and fairly easy to break.
If you're relying solely on a memorized pass-phrase to access anything via a
public IP address, you're not doing it right these days. Does this include
you?

So what I'm thinking I should do, to avoid the P.I.T.A. management headaches
that Kent describes:

* With a Python script, generate a public/private keypair for each of the
long-running machines I want to protect

* Have that script generate an authorized_keys file, encrypted identity file,
and ssh config file

* Tar up those files so they can be readily unpacked everywhere I need them

* Craft an ansible playbook to run that script whenever I want to rotate the keys

* Carry a copy of that tarball on a keychain USB flash drive so I can always
get in

* Disable passphrase/MFA auth everywhere except one or two backdoor devices
(in case my rotation script has run before I could update that USB flash drive
and whatever laptop/handheld devices use these keys)

At some point an open-source project like ssh-ca will improve to the point
where all the above is made easier. I kinda-sorta do the above already but
without the script and ansible playbook, I don't bother rotating keys which is
an essential part of this security.

Overkill, perhaps, for home use--but even some of my security-expert friends'
home systems have been hacked. Ever visited a carpenter's house? Usually you
see half-complete remodeling jobs; it's natural for all of us to apply our
professional skills at a paid workplace but skimp on stuff at home.

Now, if only I could figure out a way to automatically and securely update my
WordPress installation without it occasionally running into horrendous plugin
version-compatibility traps...

-rich

More information about the Discuss mailing list