Home Netork Security - SSH/Linux

pcm81

Senior member
Mar 11, 2011
584
9
81
Hello all,
Recently I switched my main PC to Linux (so now learning about Linux networking) and have couple raspberry Pi's, Printers and NAS on my home network. I have couple network security questions in regards to open ports etc.

1. Is there a difference in overall security between opening up 1 port on my router, which is forwarded to 1 SSH port on one raspberry Pi2 (let's call it gateway) and restricting communication to other devices to LAN traffic via SSH sessions from gateway, vs. opening multiple ports on the router which are forwarded to SSH ports on network devices?
2. Is it safer to have a single SSH certificate for all devices or is it better to have separate ones for all devices (but then the certs would be stored either on my remote tablet or on my "gateway" machine).
3. I have a network attached power switch, which I can use to hard reset a machine if it freezes. Is it a bad idea to use this device as a gateway or perhaps have its SSH port opened via router? If I am to leave it open only to local network traffic and my "gateway" freezes I will be out of luck hard resetting it (gateway). I can turn on/off/restart power outlets via SSH command to this power switch.

Anything I forgot?

I read a network security book back in 90s any new reading material I should consider? Looking for a good ref manual, kinda like "network security bible"

Thanks ahead
 

smakme7757

Golden Member
Nov 20, 2010
1,487
1
81
1. It's a very good idea to open a single port to a secured "gateway" machine on your internal network. From that machine, you could then jump to other machines.

That would at least put your important machines another hop away from the internet and force any attacker to compromise that machine first.

2. If I was you I would create a strong public/private key pair to log into the gateway machine and just use User/password on all other machines in your internal network.

Having unique certificates for every machine on your internal network would become a nightmare to maintain. You would have to have different passwords on all private keys to make it worthwhile and so on.

3. The gateway machine should be a single machine on your network that only has a single function - being a gateway to jump to other servers. Have the least amount of software on that machine possible.

Also don't have too much complexity in your design. If it becomes too much to manage you will take shortcuts. Just keep it simple. A common mistake is that complexity makes better security. It's not always the case.
 

Red Squirrel

No Lifer
May 24, 2003
68,819
12,802
126
www.anyf.ca
Also any machine that has a port open to the internet should be on a separate vlan that has firewall rules to isolate it as much as possible from the main network. I have a "internet facing" vlan that I put all those types of services on, I treat each box on that vlan as if it was actually facing the internet. I then do the port forwards as normal. They're still behind the NAT but if one of the services (ex: minecraft server) has a remote code execution exploit that allows an attacker to basically get shell access to the system, they wont be able to get into the rest of the network.

Also for anything such as remote SSH access you should have fail2ban or equivalant to protect from brute force attacks, and use a non default port, this is mostly to keep your logs clean from all the bots.
 

CubanlB

Senior member
Oct 24, 2003
562
0
76
The beauty of a jump box is that you have a LOT of control over what it talks to going through your firewall, and it is way easier to collect good logs from the jump box that from all of your devices and act on the logs (And hopefully alerts sent to you).

You are going to get more mileage out of rotating your keys more often vs. having more keys to keep track of.