Ruben’s Blog

This is not mine I found it at: Djatlantic – Linux & Trance Passions

Harden/Secure Openssh

I just compiled and setup Openssh (4.6p1) (or 4.7 or 4.7p1) from scratch and I just want to write something about it. I have done this quite a few times and I think it is at the point that I need to write down everything and share what i have done with everybody else.

Just like all other System Admins, I have all tried to find the perfect combinations to harden our Openssh servers to the most secure degree and I have arrived at a setup that I feel quite comfortable and confident.

Let’s start with the compilation and initial setup on Linux Fedora Core 6.
1. Download the latest Portable Linux source code from openssh.org. At the time of writing this, the sofware just got released for a couple of days and it is currently at version 4.6p1.
2. Download the latest zlib source code (version 1.2.3) at zlib.net.
# tar zxvf zlib-xxx.gz
#cd zlib-xxx
#./configure
#make
#make install

These steps would install all zlib files (in /usr/local/) needed for openssh
3. From the command line, we need to install openssl-devel and pam-devel:
#yum install openssl-devel pam-devel
4. Unpackage and compile Openssh
#tar jxvf openssh-xxx.bz2
#cd openssh-xxx
#./configure –with-pam –with-zlib=/usr/local/ –with-ssl-dir=/usr/local/lib –with-tcp-wrappers –with-md5-passwords –disable-tcp-nodelay –with-ssh-connection-limit=8 –with-ipv4-default
#make
#make install
(Notice here in the configure, I selected to enable tcp-wrappers features and compile openssh to work with PAM.)

After this we should have openssh’s executable files in /usr/local/bin, the sshd server/daemon in /usr/local/sbin, ssh_config/ssh_key*/sshd_config in /usr/local/etc.

As a bastion Openssh server, I need to secure it to the extent that I can go to sleep at night and have little worry about my openssh server under attacks.

We need to edit the /usr/local/etc/sshd_config as this is the configuration file for Openssh server. Here are those entries that we need to mention for their security roles.

#To avoid automatic attacks from scrip kiddies, we must change the default port.
#I personally avoid using anything like 222 or 222* for that extend to avoid possible #enumeration of the default port value 22

Port 56565

#Nowadays, there is a very small percent of server/clients out there using protocol #version 1. Besides that, we must use protocol 2 as it is improved and better secured #than version 1
Protocol 2

#If your box has more than 2 interfaces, then you should specify which interface openssh
#should listen for connection
ListenAddress 192.168.24.15

#Good security practice would never allow root to ssh into your server. This is a must
PermitRootLogin no

#AllowUsers only allow a list of users that can ssh into your server
AllowUsers myuser

#Users need to be successfully log in within 1 minute.
LoginGraceTime 1m

#For each connection, users can only try 4 times, after the second fails,
#all other fails are logged
MaxAuthTries 4

#This entry is good for limiting concurrent unauthenticated connections
MaxStartups 10:30:60

#This is a good thing as the server checks for proper permissions of user’s files and #home directory. RECOMMENDED.
StrictModes yes

# It is good to have a file with all the warning message after the user login
Banner /usr/local/etc/banner

#By default, this is set to no and it should not change
PermitEmptyPasswords no

#This is a controversial entry because most others would set up passwordless ssh login #to avoid using passwords. However, not all users are technically capable and it would #create more works and headaches for a lone System Admin. Even if I allow password #login, I will set up pam_tally to limit dictionary attack to compensate for this method’s #shortcomming
PasswordAuthentication yes

#By default this entry was enabled by default, however, it is risky and I do not use this #method. Please refer to the man page of sshd_config for a better explanation
ChallengeResponseAuthentication no

#Since this setup allow password authentication, we need to use PAM for all #authentication goodies
#Note: we will not be able to run openssh server as non-root user
UsePAM yes

#Disable any port forwarding or X forwarding as they are security risks
#and you do not want your users to circumvent your firewall filtering rules. Right?
AllowTcpForwarding no
X11Forwarding no

#This is good and you should not change the default value. Please refer to the man page #for additional information
UsePrivilegeSeparation yes

####################################################
#These three entries should be group together for easier understanding
#Disable keep alive message because it is spoofable
TCPKeepAlive no

#Time out intervals in seconds after which if no data has been received
#from the client, sshd will send a message through encrypted channel to request
#a response from the client
ClientAliveInterval 60

#number of client alive messages which may be sent without receiving any messages
#back from the client.
#By setting this to 30 and ClientAliveInterval to 60, unresponisive SSH clients will be #disconnected after 30 x 60 = 1800 seconds = 30 minutes
ClientAliveCountMax 30
###################################################

#GSSAPIAuthentication no (yes)
#GSSAPICleanupCredentials yes
#DenyUsers
#DenyGroups
#AllowGroups
#Match Address (Need to find out about this entry)
#AddressFamily (and this one too)

#You should comment this line out as it enable the sftp server. In my setup, I do not #need this
#Subsystem /usr/…../sftp-server

So this is the end of editing the Openssh server sshd_config configuration files. We can employ additional helps from other resources. They are the fruits of a lot of people’s labors

*Iptables rules to allow ssh connection from specific known hosts:
#Allow only this ip address to connect ssh port (Need to change port number here)
iptables -A INPUT -p tcp -m state –state NEW –source 207.15.99.33 –dport 22 -j ACCEPT
#Drop all other connections to ssh port (Need to change port number here)
iptables -A INPUT -p tcp –dport 22 -j DROP

*New trick I just came across: ssh time-lock tricks
#access to the SSH service is blocked for one minute, and the user gets only
#one login try per minute from that moment on
iptables -A INPUT -p tcp -s 205.15.99.33 -m state –syn –state NEW –dport 22 -m limit –limit 1/minute –limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp -s 205.15.99.33 -m state –syn –state NEW –dport 22 -j DROP

*Since I compiled this with TCP wrapper, we can also use /etc/hosts.allow to only allow connections from trusted IP and /etc/hosts.deny to disallow all other hosts
/etc/hosts.allow
sshd: 192.168.1.7 207.15.99.33

/etc/hosts.deny
sshd: ALL

The followings are concoctions of many effective protection methods that I might or already implemented to protect my openssh servers.
*Implement a new method of port knocking: Single Packet Authorization. (Only works for highly technical end users, Not implemented yet)

*Implement pam_tally to limit and stop dictionary attacks. I recently wrote about this

*Implement pam_abl to stop brute force password attacks. I recently wrote about this . This method is better than pam_tally since pam_abl blocks both hosts and users.

*Implement swatch to examine /var/log/secure for failed loggins and add a route in the server routing table to block further connections to null.

*Put Openssh server in a virtual host like OpenVZ.

*Set up Openssh server in a bastion host and then user log in to this server first before a user can continue ssh to any other servers. For example, user has to ssh into a bastion hardened Openssh server in DMZ, after that this user has to ssh into another hardened Openssh server in LAN and from there this user can ssh to other servers in LAN. At each server, users must have at least different user names and/or good passwords along the way.

* Use ChrootDirectory in Openssh 4.9p1 or later to chroot user shell accounts. I implemented this and wrote this article

* Put ssh users in to a jail or very much chroot the openssh server. I implemented this and wrote this article

*Implement iplist/ipblock to block all accesses from all countries with the exception of connections from US IP addresses. I wish I could narrow down even to the Internet Providers like Comcast or Verizon but that is a bit too ambitious. I had an article about this method here.

* Implement this iptables rules from this ITwire article. This one works GREAT.

/sbin/iptables -N SSH
/sbin/iptables -N SSH_ABL
/sbin/iptables -A SSH -m recent –name SSH_ABL –update –seconds 3600 -j REJECT
/sbin/iptables -A SSH -m recent –name SSH –rcheck –seconds 60 –hitcount 5 -j SSH_ABL
/sbin/iptables -A SSH_ABL -m recent –name SSH_ABL –set -j LOG –log-level warn –log-prefix “ABL: +SSH: ”
/sbin/iptables -A SSH_ABL -j REJECT
/sbin/iptables -A SSH -m recent –name SSH –rcheck –seconds 2 -j LOG –log-level warn –log-prefix “RATE: ”
/sbin/iptables -A SSH -m recent –name SSH –update –seconds 2 -j REJECT
/sbin/iptables -A SSH -m recent –name SSH_ABL –remove -j LOG –log-level warn –log-prefix “ABL: -SSH: ”
/sbin/iptables -A SSH -m recent –name SSH –set -j ACCEPT
/sbin/iptables -A INPUT -m state –state NEW -p tcp -m tcp –dport 22 -j SSH

*Implement Denyhosts to blocks IP after a series of failed loggins. Once again, in the past I implemented this as the only method but I gave up and searched for better methods. I hate to babysit all the IP addresses got added to /etc/hosts.deny. I DO NOT RECOMMEND THIS METHOD, however, at the time I used Denyhosts, it was in some earlier versions than its current version, but still….

70+ Nice and Beautiful Firefox Wallpapers | Wallpapers

Good news for Firefox fans out there. If you are getting bored with your wallpaper, we’ve got something cool to spice up your desktop. Just click the link above for 70+ nice and beautiful Firefox wallpapers

The directory structure of Linux/other Unix-like systems is very intimidating for the new user, especially if he/she is migrating from Windows. In Windows, almost all programs install their files (all files) in the directory named: `Program Files.’ Such is not the case in Linux. The directory system categorises all installed files. All configuration files are in /etc, all binary files are in /bin or /usr/bin or /usr/local/bin. Here is the entire directory structure along with what they contain:

/ – Root directory that forms the base of the file system. All files and directories are logically contained inside the root directory regardless of their physical locations.

/bin – Contains the executable programs that are part of the Linux operating system. Many Linux commands, such as cat, cp, ls, more, and tar, are locate in /bin

/boot – Contains the Linux kernel and other files needed by LILO and GRUB boot managers.

/dev – Contains all device files. Linux treats each device as a special file. All such files are located in /dev.

/etc – Contains most system configuration files and the initialisation scripts in /etc/rc.d subdirectory.

/home – Home directory is the parent to the home directories of users.

/lib – Contains library files, including loadable driver modules needed to boot the system.

/lost+found – Directory for lost files. Every disk partition has a lost+found directory.

/media – Directory for mounting files systems on removable media like CD-ROM drives, floppy disks, and Zip drives.

/mnt – A directory for temporarily mounted filesystems.

/opt – Optional software packages copy/install files here.

/proc – A special directory in a virtual filesystem. It contains the information about various aspects of a Linux system.

/root – Home directory of the root user.

/sbin – Contains administrative binary files. Commands such as mount, shutdown, umount, reside here.

/srv – Contains data for services (HTTP, FTP, etc.) offered by the system.

/sys – A special directory that contains information about the devices, as seen by the Linux kernel.

/tmp – Temporary directory which can be used as a scratch directory (storage for temporary files). The contents of this directory are cleared each time the system boots.

/usr – Contains subdirectories for many programs such as the X Window System.

/usr/bin – Contains executable files for many Linux commands. It is not part of the core Linux operating system.

/usr/include – Contains header files for C and C++ programming languages

/usr/lib – Contains libraries for C and C++ programming languages.

/usr/local – Contains local files. It has a similar directories as /usr contains.

/usr/sbin – Contains administrative commands.

/usr/share – Contains files that are shared, like, default configuration files, images, documentation, etc.

/usr/src – Contains the source code for the Linux kernel.

/var – Contains various system files such as log, mail directories, print spool, etc. which tend to change in numbers and size over time.

/var/cache – Storage area for cached data for applications.

/var/lib – Contains information relating to the current state of applications. Programs modify this when they run.

/var/lock – Contains lock files which are checked by applications so that a resource can be used by one application only.

/var/log – Contains log files for differenct applications.

/var/mail – Contains users’ emails.

/var/opt – Contains variable data for packages stored in /opt directory.

/var/run – Contains data describing the system since it was booted.

/var/spool – Contains data that is waiting for some kind of processing.

/var/tmp – Contains temporary files preserved between system reboots.

Digg – Vatican Runs Linux

From Digg.com posted by jaybol

This story is geared towards Diggers and I just signed up for it and liked the interface, and the ability to make files either private or public and send someone a download link rather than emailing a big file. 250GB free online storage…wow.

Sign up now Offer Ends on May 15th

Click Here for Special offer