My previous post showed that my home PC gets hit by about 35 remote login attempts a day by just having port 3389 forwarded to my home PC. More concerning is the MS Security Bulletin released last week showing serious vulnerabilities to RDP. To add another layer of security, I set up an SSH server on an old Raspberry Pi with only RSA authentication. Now to remote to my PC requires two-factor authentication, as you need not only the password to access the PC but the private key I keep on me at all times. Something you know and something you have.
The setup is a Raspberry Pi Model B, nothing special, with Raspbian. During the install I opted out of graphic install and enabled SSH login because this thing is going to hide somewhere out of the way and headless. I created a new user and deleted the default pi user to further obfuscate security.
I installed puttygen and putty on my home PC and then created the RSA key in puttygen. If you set up the passphrase you will have to answer it every time you start the SSH tunnel. If you save sessions on putty, this might be a good idea. However, if someone on the bus got ahold of it they would have to recognize it as a private key, know your IP address, and know the target protocol before they could get access. I did set a password for what it is worth.
Puttygen outputs a public key for pasting into the authorized_keys file, which had to be created.
On the Pi:
sudo nano ~/.ssh/authorized_keys
Paste the public key as is, on a single line, then save and close.
Now make sure that authorized_keys is R+W only to the user:
chmod 600 ~/.ssh/authorized_keys
If you haven’t already determined the local IP address of the PI you can sudo ifconfig to get the IP address. Make sure the router has it forwarded on port 22.
Now on to putty, input the target IP address, SSH connection type. In the left hand frame navigate to:
Connection > Data: input the “Auto-login username”
Connection > SSH > Auth: Browse to the previously made private key file from puttygen (its a .ppk extension)
Connection > SSH > Tunnels: I put “source Port” as 13389 (although apparently any port that isn’t 3389 would work), destination as the target internal IP of the PC I am attempting to RDP to followed by :3389 (ex 10.0.0.2:3389)
Finally, after all that save the setup in the session section. Putty is a PITA with its interface. Run, input RSA passphrase, and you should have a shell terminal.
Last bit, open Remote Desktop Connection in Windows, and type 127.0.0.1:13389
Job done. You will see a little bit more latency with this connection but it is much more secure. Harden the SSH server next.
In the console shell:
sudo nano /etc/ssh/sshd_config
We want to remove the password authentication ability, so only the key can be used. We also want to remove the ability for remote root access. Find and change PasswordAuthentication to no, and PermitRootLogin to no. If either are commented out, remove the commenting.
OK were all set. To connect via SSH tunnel you can now take your private key to any other machine and use the same method, like with a thumb drive or your easily compromised smartphone!
UPDATE: I added fail2ban, as within 24 hours I had almost a hundred attempts on the SSH server. Limited to 2 attempts, 24h ban.
UPDATE UPDATE: Because of a recently exposed vulnerability, add these lines to the sshd_config