User Tools

Site Tools


build:ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
build:ssh [2014/04/29 20:17]
216.151.137.34 zCqAGfVpOtm
build:ssh [2016/02/26 11:17] (current)
Craig Buchek old revision restored (2012/12/10 22:41)
Line 1: Line 1:
-, http://casinoenligne47.com/ casino en ligne de confiance,  ​334654+====== SSH ====== 
 + 
 +SSH is the Secure Shella secure replacement for telnet. The OpenSSH client comes in the default Debian install. We've installed the OpenSSH server to provide for remote access to our systems. 
 + 
 + 
 +===== Installation ===== 
 + 
 +Install the SSH client and server packages: 
 + 
 +<code bash> 
 +sudo apt-get install ssh openssh-server 
 +</​code>​ 
 + 
 + 
 +===== Configuration ===== 
 + 
 +Fix it so ''​root''​ cannot log in, but allow selected commands, which will be authenticated by authprogs:​ 
 + 
 +<code bash> 
 +sudo sed -i -e '​s/​^PermitRootLogin .*$/​PermitRootLogin forced-commands-only/'​ /​etc/​ssh/​sshd_config 
 +</​code>​ 
 + 
 +Edit ''/​etc/​issue.net''​ to present a warning message to users connecting via SSH: 
 + 
 +<code bash> 
 +sudo sh -c 'echo "This system for use by BOOCHTEK employees ONLY. Unauthorized access prohibited."​ > /​etc/​issue'​ 
 +sudo cp /etc/issue /​etc/​issue.net 
 +</​code>​ 
 + 
 +Configure the SSH daemon to add the warning message. 
 + 
 +<code bash> 
 +sudo sed -i -e '​s:​^#​Banner .*$:Banner /​etc/​issue.net:'​ /​etc/​ssh/​sshd_config 
 +</​code>​ 
 + 
 +Disable TCP port forwarding (suggested by http://kitenet.net/​~joey/​blog/​entry/​ssh_port_forwarding/​):​ 
 + 
 +<code bash> 
 +sudo sh -c '/​bin/​echo -e "\n# Disable TCP port forwarding.\nAllowTcpForwarding no" >> /​etc/​ssh/​sshd_config'​ 
 +</​code>​ 
 + 
 +Require SSH keys; don't allow password authentication. NOTE: Be sure you have set up SSH keys for your accounts first! 
 + 
 +<code bash> 
 +sudo sed -i -e '​s:​^#​PasswordAuthentication.*$:​PasswordAuthentication no:' /​etc/​ssh/​sshd_config 
 +</​code>​ 
 + 
 +Only allow "​real"​ users to log in via SSH. NOTE: Be sure you've added all your users to one of the specified groups. 
 + 
 +<code bash> 
 +sudo sh -c '/​bin/​echo -e "\n# Allow only users in these groups to log in. (NOTE: Must be space-separated.)\nAllowGroups users" >> /​etc/​ssh/​sshd_config'​ 
 +</​code>​ 
 + 
 + 
 +==== Auto-Logout on Idle ==== 
 + 
 +Configure the SSH daemon to automatically log users off if they'​re idle for more than 30 minutes. 
 + 
 +<code bash> 
 +sudo sh -c 'echo "​ClientAliveInterval 30m" >> /​etc/​ssh/​sshd_config'​ 
 +sudo sh -c 'echo "​ClientAliveCountMax 0" >> /​etc/​ssh/​sshd_config'​ 
 +</​code>​ 
 + 
 + 
 +===== Startup ===== 
 + 
 +Restart to have the settings take effect: 
 + 
 +<code bash> 
 +sudo /​etc/​init.d/​ssh restart 
 +</​code>​ 
 + 
 +NOTE: You can probably run ''/​etc/​init.d/​ssh reload''​ instead of ''/​etc/​init.d/​ssh restart''​ if you like. 
 + 
 +Or just send the daemon a HUP signal to have it reread the configuration file and activate the changes: 
 + 
 +<code bash> 
 +sudo kill -HUP `cat /​var/​run/​sshd.pid` 
 +</​code>​ 
 + 
 + 
 +===== Testing ===== 
 + 
 +Log into the system as a user via SSH. 
 + 
 +Log into the system as a user via sftp and try to transfer any file. 
 + 
 +Try logging in as ''​root''​ via SSH. Make sure the access is denied, and that the attempt is logged. 
 + 
 + 
 +===== Public Keys ===== 
 + 
 +The SSH server defaults to allowing logins via public-key encryption, so you don't need to enter a password for every login. To allow this for a given user account, first prepare the SSH authorized_keys file: 
 + 
 +<code bash> 
 +mkdir -p ~/.ssh 
 +chmod 700 ~/.ssh 
 +touch ~/​.ssh/​authorized_keys 
 +chmod 600 ~/​.ssh/​authorized_keys 
 +</​code>​ 
 + 
 +Generate a public/​private key pair on the **client** (not the server). Be sure to protect the private key with a passphrase and proper file permissions. Then copy the public key from the client to the server. Assuming the client is UNIX-based, your key is named ''​id_dsa.pub'',​ and you want to get to the ''​user''​ account on ''​example.com'',​ you would do something like this: 
 + 
 +<code bash> 
 +ssh user@example.com -c 'cat >> ~/.ssh/​authorized_keys'​ < id_dsa.pub 
 +</​code>​ 
 + 
 +(Many systems now come with an OpenSSH script named ''​ssh-copy-id''​ that can do this for you.) 
 + 
 +If you're coming from Windowsbe sure that the ''​authorized_keys''​ file entry is in the correct format. It's a single line containing space-separated fields: options (optional), key type (ssh-rsa or ssh-dss), the base64-encoded key, and an optional comment. 
 + 
 + 
 +===== Blocking Attacks ===== 
 + 
 +We install Fail2ban to block attempted brute-force SSH attacks. We also considered BFD, BlockHosts, DenyHosts, and SSHguard. Only Fail2ban and DenyHosts are included in Debian (as of Lenny/5.0). We went with Fail2ban, because it integrates with Shorewall, and supports more than just SSH attacks. Of the others we looked at, SSHguard was a close second, having similar support as Fail2ban. 
 + 
 +Installation is pretty straightforward:​ 
 + 
 +<code bash> 
 +sudo apt-get install fail2ban whois 
 +</​code>​ 
 + 
 +Configuration was also pretty simple. We mainly just told it to use Shorewall and added one of our own networks (osRiver) to ignore. 
 + 
 +<code bash> 
 +IGNORE=205.159.194.0/​24 
 +sudo sh -c 'cat > /​etc/​fail2ban/​jail.local <<​END 
 +[DEFAULT] 
 +banaction = shorewall 
 +ignoreip = 127.0.0.1 $IGNORE 
 +[ssh] 
 +maxretry = 5 
 +END' 
 +sudo /​etc/​init.d/​fail2ban reload 
 +</​code>​ 
 + 
 + 
 +==== Bugs ==== 
 + 
 +Fail2ban (on Debian) has regexes in the default ''/​etc/​fail2ban/​filter.d/​sshd.conf''​ for ''​AllowUsers''​ and ''​AllowGroups'',​ but not ''​DenyUsers''​ and ''​DenyGroups''​. We don't need them, but others might. 
 + 
 + 
 +===== Logging ===== 
 + 
 +SSH access to the system is logged in ''/​var/​log/​auth.log''​. 
 + 
 + 
 +===== Security ===== 
 + 
 +We've disabled direct root login via SSH. 
 + 
 +The OpenSSH server and client come built with just about every feature possible to help ensure as secure a connection as possible. 
 + 
 + 
 +===== Notes ===== 
 + 
 +While SSH replaces Telnet, we've kept the ''​telnet''​ client installed, because it's very helpful in troubleshooting network services by telnetting directly to the port the service runs on. The telnet client should never be used to log into a shell account. The telnet server should never be installed. 
 + 
 + 
 +===== TODO ===== 
 + 
 +  * Installation suggested installing ''​ssh-askpass''​''​rssh'',​ ''​molly-guard''​. Check into whether those might be of use. 
build/ssh.txt · Last modified: 2016/02/26 11:17 by Craig Buchek