Steps to take to make sftp into MBL as secure as possible

I’ve got sftp up and running on my mybooklive.  But I want to make it as secure as possible.

Any recommendations on things I can do to make it more secure?

I was thinking that changing to a port other than 22 would be one step -yes?  If so, how can I do that?

Is it possible to set a router so it only allows certain devices (with known mac addresses) access to the sftp port?  I use xbmc and allway sync with sftp with some devices. 

SFTP and SCP are protocols that run under SSH. In a few words, it cannot get more seure than that.

Now, there are a few other things you can do, but not really to make it more secure. It would help with hackers scanning your IP from the outside/inside though, of course, until it is found.

  • Change port is an option. However, you can keep 22 on the NAS and open a different one to the internet. In a few words, router will listen on port x and forward to port 22.

  • MBL live runs Debian Lenny, so yes, you could only allow some IPs to connect to. However, you would need to be an advanced user to set this up, as you have to take into consideration lots of other things, such as WD’s software and all its settings

  • 3rd, yes, you might be able to setup the router to permit/deny connections. But it all depends on the routers. Some have the options some don’t.

Finally, the OS on MBL is Debian Lenny, so in a few words, you can make it do anything you want. Specially if you are a Linux Expert.

Thanks a lot Shabuboy.

Well, I know virtually zero about linux except what I’ve done so far.  So I guess most of those options are out for me.

I’ll change the port though.  I guess I didn’t mean just the protocol being more secure but reduce the risk of a hacker breaking into my network overall since opening ports is always I risk (I assume).

My asus rt-ac66u router does have a “whitelist” option.  I assume that means I can limit who can connect in so I’ll do that too.

Posted same question on a board that focused on my router, the asus rt-ac66u.

There’s a brute force detection option under administration/system/miscellaneous if you’ve installed the asus-merlin custom firmware (maybe stock firmware too but I don’t know).

They said  that just using that brute force detection option and a strong password alone can make your system almost impossible to break into (that guy that responded is a real expert - wrote the merlin firmware).  Also suggested RSA keys but I think that’s too advanced for me and I feel good enough with security now anyway.

Maybe other routers have these options too.  Just posting in case someone else has the same question I had.

You might also want to disable root access.

Common names (root, admin etc) are easy targets for brute force attacks.

Is someone wants to get access, they can do a port scanning and find the port.

But then they have to guess a user name.