Remote Access SSH, Mosh, ZSH, TMUX

Posted on Tue 02 January 2024 in Security

Having secure remote access that's still convenient is key when you're travelling. My setup is very old, but still works perfectly. The remote access I need is mostly terminal access, as I have a lot of tools on terminal to access my important data remotely.

SSH and MOSH

I use ssh directly, which works fine if you have a stable connection. Since I live in Germany, the mobile connections are not fully converage, even if you are travelling by train or motorway you will have connection problems from time to time. SSH then loses the connection and you have to reconnect. If you are running screen or tmux on the machine you are connecting to, this will only require a reconnect and you will be able to continue to work, but it is still annoying and can be improved. This is why you can use mosh for this scenario. Mosh is a udp-based way to connect to your server and have your session automatically reconnect as soon as it comes back. No need to manually reconnect, even if you put your laptop to sleep and reconnect hours later you will be reconnected directly to your running session.

You should know that most default ssh configurations are designed with compatibility in mind. This means that you should improve the configuration for security in order to run it in production. Check the sshaudit.com website for some help and information on how to improve the sshd configuration for security.

Following the configuration guidelines published on sshaudit.com will help to speed up the changes. Here are the main improvements you should consider:

  1. Use ssh-key for authentication and turn off password authentication
PasswordAuthentication no
PermitEmptyPasswords no
KbdInteractiveAuthentication no
  1. Disable all weak encryption algorithm, only allow modern. This just is an example:
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
  1. Disable weak host keys
HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

RequiredRSASize 3072
  1. Disable root login
PermitRootLogin no
  1. Only allow defined users to connect
AllowUsers <username>

  1. Setup fail2ban to block bruteforce to the ssh port.

    In my case I use fail2ban in combination with the iptables or firewalld backend. This blocks the access to the attacked port using a firewall rule after too many login attempts.

tmux

Another part of this environment is tmux, a terminal multiplexer-like screen. I switched from screen to tmux a few years ago, and it is still my preferred terminal multiplexer. It allows you to use multiple terminals within a session. You can split them up and arrange them. You can suspend them and resume the session with your multiple tools still running. Think of it as a window manager for a graphical environment. If you're not familiar with it, you should check it out.

ZSH

ZSH is the shell I use for all of this. It is fun to use, and you can use some well-designed themes that display important information, such as git information of the current directory, and a nice prompt that looks the way you want it. The auto-completion, even for command options, is a real productivity boost. It makes working in the terminal fun. For easy setup, you can use oh-my-zsh to improve your zsh very quickly. Note that this script pulls plugins and themes into your environment. It is a nice way to test manage your zsh, but for security reasons you may not want to pull code into your systems using the autoupdate functionality.

Linux FreeBSD Admin ssh tmux zsh