ssh tunnel - how good?

[adam1701]

I use an SSH tunnel for all of my internet usage. How secure is this? If someone looks at the packets, what can they tell? (apart from the destination..)

cheers

[Jay]

they can probably tell its SSH and that's about it. SSH isn't as secure as everyone thinks though.

[TheAnimus]

tell that to the openbsd team!

[aidanjt]

I use an SSH tunnel for all of my internet usage. How secure is this? If someone looks at the packets, what can they tell? (apart from the destination..)

cheers

As long as the server is well configured and you have your public RSA key on it, it's very very secure. SSH1 has some known vulnerabilities however.

[Lourdes]

Nobody is interested in your internet traffic, really. That's rather paranoid. And from the end of your tunnel to the destination it's not encrypted unless you only visit SSL sites.

[adam1701]

Nobody is interested in your internet traffic, really. That's rather paranoid. And from the end of your tunnel to the destination it's not encrypted unless you only visit SSL sites.

you don't know my situation, and yes, I'm only worried about traffic travelling over the network im using, once its on the internet im happy.

[peterb]

Lourdes has confused SSL with SSH.

SSH is an encryption system that uses well known (and secure) cryptographic techniques to protect the packet contents, but the packet headers are not encrypted so the source and destination addresses are in clear. SSH also provides an authentication procedure using PKI techniques, so unless you are likely to be specifically targeted, it is unlikely that your traffic can be decrypted - and provided you take appropriate precautions to protect your private key you should be OK.

I use SSH to remotely connect to my server - it is regularly attacked (although not AFAIK a directed attack, and so far it has protected me - but that is the authentication side).

If you haven't already done so, visit the SSH website or Google SSH) and download the manuals. There are a number of configuration files (sshd.conf and ssh.conf are the two important ones) that you need to pay attention to, if only to understand the potential weaknesses of mis-configuration.

Like any security mechanism, it can be weakened by poor configuration or management.

http://www.openssh.com/manual.html

[Jay]

One of the biggest faults I have seen with sshd.conf and ssh.conf is incorrect security settings on the files.

[peterb]

One of the biggest faults I have seen with sshd.conf and ssh.conf is incorrect security settings on the files.

Indeed - and as I mentioned in my post above, any security mechanism can be negated by poor configuration. However the measures you impose and the effort you put into securing your system comes down to a risk assessment - the likelihood of an attack, and the impact if it is successful, against the effort (and perhaps cost) of increasing the security posture to mitigate the risk.

One example is the configuration file line that allows or disallows password authentication. If you are using PKI authentication, this should be disabled - it then ONLY possible to login using the private key. But this is something you need to do manually! Look at the documents I linked to above! You need to consider how SSH will act in conjunction with othert security mechanisms that may be in place (PAM for example). In most cases the default will be sufficient, but you should at least review it to be certain that the default is satisfactory.


Security is not a 'fit and forget' capability - at the very least the logs need monitoring, and the overall security policy and posture of the system needs periodic review. And this is true of any computer system regardless of operating system!