Setup SSH Gateway on Raspberry Pi

Linux Security

So looking for something to use your Raspberry Pi for? I had a Mk1 Raspberry Pi laying around and thought it might be good to set it up as a SSH gateway, so I could easily and securely access my home machines when out and about.

These instructions assume you have a Raspberry Pi which has Raspbian Jessie installed, i’m assuming you’ve also enabled SSH and have a named account created which you have already used to SSH to the Raspberry Pi over your network.

These instructions also get you to set SSH onto a non-standard port, setup two factor authentication using Google’s authenticator and setup Fail2Ban to ensure hacking attempts can be blocked somewhat.

Assuming you’ve done this, you are ready to start, note you should make sure you run an apt-get update and apt-get upgrade to ensure that you are running the latest security updates.

SSH and Google Authenticator Configuration

1. Lets firstly disable root login via SSH.

sudo nano /etc/ssh/sshd_config

Changing the line PermitRootLogin to no.

2. Now within the same file change the port number from 22 to something non-standard like 2222 for example. Do this by changing the line Port 22 to read Port 2222.

3. At this point you should reboot the Raspberry Pi, then attempt to login on port 2222, don’t go any further until you have got this working.

4. Now we need to install the Google Authenticator package.

# sudo apt-get install libpam-google-authenticator

5. Once installed you will then need to run the google authenticator, ensure you are logged in as the user you will be SSHing onto the box with to ensure you setup the authenticator configuration into your user’s home area.

# google-authenticator

Answer yes to all the prompts in the wizard, you should also make a note of the scratch codes just in case you need them in future.

6. At the end you’ll see a QR code, now you need to get out your smart phone and install the Google Authenticator App from your devices Application Store.

7. Now scan in the QR code using the App or enter the code manually. When done, your phone and your Raspberry Pi will be paired via the Google Authenticator to trust each other for authentication.

8. Finally we need to set SSH to use the google Authenticator as part of the authentication process, so you’ll need to enter your username/password followed by the code generated by your phone to be able to logon.

9. Open the/etc/pam.d/sshd file with sudo nano /etc/pam.d/sshd add the following line to the end file:

auth required

10. Next open /etc/ssh/sshd_config then locate the ChallengeResponseAuthentication line (normally set to “no”) and then set it to “yes”.

11. Finally restart the SSH server.

# sudo /etc/init.d/sshd restart

Do not close the active ssh window you are working in. If something went wrong then you can quick debug it. Open a new ssh window instead and you should be prompted for a password followed by the code, all being well you should login fine!

Common Issue: Check that your timezone and time are set correctly on the Raspberry Pi, if they are not you will find your connection attempts will be rejected.

Tip: Check your logs for any errors with: sudo cat /var/log/auth.log | more

Also here you’ll need to have punched a hole through your firewall on port 2222/TCP to the IP address of your Raspberry Pi, if you want to access it externally.

Fail2Ban Install and Configuration

We will now install Fail2Ban, and configure it to check on port 2222/TCP which we are now using for SSH, if more than two password failures are created, the IP address will be added to the block list permanently. The configuration for different services can be found in /etc/fail2ban/jail.conf. The default configuration only monitors SSH and bans the suspicious IP after 6 unsuccessful attempts for 600 seconds.

1. Firstly install fail2ban with:

# apt-get install fail2ban

2. Then you need to edit the file /etc/fail2ban/jail.local, you may need to create it if you do not yet have it.

# vi /etc/fail2ban/jail.local

3. Once you are editing the file add the following:

[ssh] banaction = iptables-allports 
bantime = -1 maxretry = 2

This will block all IP traffic from a host forever if they get two failed connection attempts.

Then edit the file: /etc/fail2ban/jail.conf, and then add the following:

(within the DEFAULT section, add your local subnet e.g., stops you locking yourself out!)

ignoreip =

Then in the SSH section add the additional port 2222 to the line so it reads:


enabled  = true

port     = ssh,2222

filter   = sshd

logpath  = /var/log/auth.log

maxretry = 6

4. To avoid these blocks disappearing after a reboot, add the following to /etc/fail2ban/action.d/iptables-allports.conf file to the actionstart section:

# cat /etc/fail2ban/ip.list-<name> | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done

and following line to the actionban section:

# echo '<ip>/24' >> /etc/fail2ban/ip.list-<name>

These settings mean that any banned IP address is added to the /etc/fail2ban/ip.list file and after restart of the Pi they are readded to the iptables firewall. Note this blocks the whole /24 subnet, you can omit this from the echo command above if you just want to block on an IP by IP basis.

Restart the fail2ban service:

# sudo service fail2ban restart

Over time you’ll see some IPs that are permanently banned. Check in iptables for the firewall block rules with:

# sudo iptables -L -n --line

Useful Links

Leave a Reply

Your email address will not be published. Required fields are marked *