Secure SSH access from the Internet to the NAS

From NAS-2000.org

Jump to: navigation, search

This Howto describes how to configure the SSH-Server in order to access the NAS from the internet in a safe way.

First you have to create a user in the WebGUI, make sure to enable the "Create Private Folder" button.


Next login to the NAS as user root via ssh and edit the /etc/inetd.conf add a line like this: 

 pop3s   stream tcp   nowait  root  /system/overlay/bin/dropbear    dropbear -i -w

This line will configure the inetd-deamon to listen on the pop3s-port (995) and only allow logins for non root-users. This way an attacker can't simply bruteforce the password for root but has to know a valid user name on the system.

Now it's a good idea to disable the (shell)-login for the admin and guest-share user by editing the /etc/passwd. By changing the users login-shell to "/bin/false" the users can still login via ftp but will never get a shell when login with ssh. 

admin:$1$$CoERg7ynjYLsj2j4glJ34.:500:100:admin:/mnt/IDE1/admin/:/bin/false
guest-share:$1$$qRPK7m23GGLby/:501:101::/mnt/IDE1/guest-share/:/bin/false

In order to make the changes work the inetd-deamon has to be restarted. 

killall inetd
inetd

and because inetd is started very early we'll have to restart the inetd after the file is copied back to /etc/inetd.conf .
Add the next to lines to /system/overlay/rc.d/S40Dropbear.sh 

# restart the inetd-deamon
killall inetd && inetd

And finally to save the changes over a reboot we'll have to add the /etc/inetd.conf to /system/overlay/savedata.conf 

/etc/inetd.conf:inetd.conf

If you have the latest tinky version the files defined in savedata.conf will be automatically saved on every shutdown

If you want to be able to work as root after you have logged in the user has to be added to the group wheel. Edit the /etc/group 

wheel:x:10:root,<your_user>

and add the file to /system/overlay/savedata.conf 

/etc/group:group

now you can exec su and after you entered the root-pw you got root

Of course you'll have to configure your router to forward the port pop3s(995) to the NAS.

This technique works also very nice if your company has very restricted firewall rules and only very few ports are allowed for outgoing connections ;-)

Update:

Since dropbear also supports public-key authentication all you have to do is copy the public part of your key to ~/.ssh/authorized_keys

To enable public-key auth only simply add a '-s' (no password auth) to inetd 

pop3s  stream tcp   nowait  root  /system/overlay/bin/dropbear  dropbear -i -w -s

EOF

Retrieved from "http://www.nas-2000.org/mwiki/index.php/Secure_SSH_access_from_the_Internet_to_the_NAS"
Personal tools