admin | 
02 13th, 2009| 
- local$ ssh-keygen -t dsa
just press enter to all three questions, leave all questions blank - local$ scp ~/.ssh/id_dsa.pub remote.user@remote.server:/home/remote_user/
- local$ ssh remote.user@remote.server
- remote_server$ touch ~/.ssh/authorized_keys
ONLY Run this command only if your authorized_keys DOES NOT exist - remote_server$ cat ~/id_dsa.pub >> ~/.ssh/authorized_keys
- remote_server$ exit
- local$ ssh remote_user@remote_server
You should login with no password prompt
The world’s most expensive burger – flame grilled Wagyu Beef, topped with white truffles in an Iranian saffron and truffle bun – is to go on sale at a fast food restaurant. Burger King’s £95 (Approx. $200 USD) sandwich, named simply The Burger, will make Guinness World Record history beating a similarly extravagant American Double Truffle Burger which cost just £65 in 1994.
The world’s most succulent Japanese beef is complemented with white truffles, onion tempura prepared in Cristal champagne and Italy’s finest Pata Negra prosciutto
Restaurant critics have dismissed the burger as just the latest stunt in a marketing craze which has seen Selfridges charge £85 for a sandwich and Peter Jones, the Sloane Square department store, ask £50 for a cup of coffee pre-digested by a Civet cat.
It appears as though the Imperial Army has turned in their speeder bikes for something a little more agile as evidenced by this Imperial Storm Trooper caught driving a white Lotus Exige.
Not one to let a Lotus-driving storm trooper have all the fun, Darth Vader has upped the ante by hopping into an Ariel Atom. Sounds like time for another round of “Caption This.” Apparently, fighting rebel uprisings and making stray cats float around the Death Star (or whatever he does) gets boring after a while, so Darth has picked up an Ariel Atom for a weekend toy. We’re wondering if this settles the question of what is the ultimate Vader ride. Probably not. (Hat tip to Eric!)
This is the funniest thing I have seen online for a while. Seriously I laugh every time I watch it.
Watch this video first.
Now watch this one.
This is not mine I found it at: Djatlantic – Linux & Trance Passions
Harden/Secure Openssh
I just compiled and setup Openssh (4.6p1) (or 4.7 or 4.7p1) from scratch and I just want to write something about it. I have done this quite a few times and I think it is at the point that I need to write down everything and share what i have done with everybody else.
Just like all other System Admins, I have all tried to find the perfect combinations to harden our Openssh servers to the most secure degree and I have arrived at a setup that I feel quite comfortable and confident.
Let’s start with the compilation and initial setup on Linux Fedora Core 6.
1. Download the latest Portable Linux source code from openssh.org. At the time of writing this, the sofware just got released for a couple of days and it is currently at version 4.6p1.
2. Download the latest zlib source code (version 1.2.3) at zlib.net.
# tar zxvf zlib-xxx.gz
#cd zlib-xxx
#./configure
#make
#make install
These steps would install all zlib files (in /usr/local/) needed for openssh
3. From the command line, we need to install openssl-devel and pam-devel:
#yum install openssl-devel pam-devel
4. Unpackage and compile Openssh
#tar jxvf openssh-xxx.bz2
#cd openssh-xxx
#./configure –with-pam –with-zlib=/usr/local/ –with-ssl-dir=/usr/local/lib –with-tcp-wrappers –with-md5-passwords –disable-tcp-nodelay –with-ssh-connection-limit=8 –with-ipv4-default
#make
#make install
(Notice here in the configure, I selected to enable tcp-wrappers features and compile openssh to work with PAM.)
After this we should have openssh’s executable files in /usr/local/bin, the sshd server/daemon in /usr/local/sbin, ssh_config/ssh_key*/sshd_config in /usr/local/etc.
As a bastion Openssh server, I need to secure it to the extent that I can go to sleep at night and have little worry about my openssh server under attacks.
We need to edit the /usr/local/etc/sshd_config as this is the configuration file for Openssh server. Here are those entries that we need to mention for their security roles.
#To avoid automatic attacks from scrip kiddies, we must change the default port.
#I personally avoid using anything like 222 or 222* for that extend to avoid possible #enumeration of the default port value 22
Port 56565
#Nowadays, there is a very small percent of server/clients out there using protocol #version 1. Besides that, we must use protocol 2 as it is improved and better secured #than version 1
Protocol 2
#If your box has more than 2 interfaces, then you should specify which interface openssh
#should listen for connection
ListenAddress 192.168.24.15
#Good security practice would never allow root to ssh into your server. This is a must
PermitRootLogin no
#AllowUsers only allow a list of users that can ssh into your server
AllowUsers myuser
#Users need to be successfully log in within 1 minute.
LoginGraceTime 1m
#For each connection, users can only try 4 times, after the second fails,
#all other fails are logged
MaxAuthTries 4
#This entry is good for limiting concurrent unauthenticated connections
MaxStartups 10:30:60
#This is a good thing as the server checks for proper permissions of user’s files and #home directory. RECOMMENDED.
StrictModes yes
# It is good to have a file with all the warning message after the user login
Banner /usr/local/etc/banner
#By default, this is set to no and it should not change
PermitEmptyPasswords no
#This is a controversial entry because most others would set up passwordless ssh login #to avoid using passwords. However, not all users are technically capable and it would #create more works and headaches for a lone System Admin. Even if I allow password #login, I will set up pam_tally to limit dictionary attack to compensate for this method’s #shortcomming
PasswordAuthentication yes
#By default this entry was enabled by default, however, it is risky and I do not use this #method. Please refer to the man page of sshd_config for a better explanation
ChallengeResponseAuthentication no
#Since this setup allow password authentication, we need to use PAM for all #authentication goodies
#Note: we will not be able to run openssh server as non-root user
UsePAM yes
#Disable any port forwarding or X forwarding as they are security risks
#and you do not want your users to circumvent your firewall filtering rules. Right?
AllowTcpForwarding no
X11Forwarding no
#This is good and you should not change the default value. Please refer to the man page #for additional information
UsePrivilegeSeparation yes
####################################################
#These three entries should be group together for easier understanding
#Disable keep alive message because it is spoofable
TCPKeepAlive no
#Time out intervals in seconds after which if no data has been received
#from the client, sshd will send a message through encrypted channel to request
#a response from the client
ClientAliveInterval 60
#number of client alive messages which may be sent without receiving any messages
#back from the client.
#By setting this to 30 and ClientAliveInterval to 60, unresponisive SSH clients will be #disconnected after 30 x 60 = 1800 seconds = 30 minutes
ClientAliveCountMax 30
###################################################
#GSSAPIAuthentication no (yes)
#GSSAPICleanupCredentials yes
#DenyUsers
#DenyGroups
#AllowGroups
#Match Address (Need to find out about this entry)
#AddressFamily (and this one too)
#You should comment this line out as it enable the sftp server. In my setup, I do not #need this
#Subsystem /usr/…../sftp-server
So this is the end of editing the Openssh server sshd_config configuration files. We can employ additional helps from other resources. They are the fruits of a lot of people’s labors
*Iptables rules to allow ssh connection from specific known hosts:
#Allow only this ip address to connect ssh port (Need to change port number here)
iptables -A INPUT -p tcp -m state –state NEW –source 207.15.99.33 –dport 22 -j ACCEPT
#Drop all other connections to ssh port (Need to change port number here)
iptables -A INPUT -p tcp –dport 22 -j DROP
*New trick I just came across: ssh time-lock tricks
#access to the SSH service is blocked for one minute, and the user gets only
#one login try per minute from that moment on
iptables -A INPUT -p tcp -s 205.15.99.33 -m state –syn –state NEW –dport 22 -m limit –limit 1/minute –limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp -s 205.15.99.33 -m state –syn –state NEW –dport 22 -j DROP
*Since I compiled this with TCP wrapper, we can also use /etc/hosts.allow to only allow connections from trusted IP and /etc/hosts.deny to disallow all other hosts
/etc/hosts.allow
sshd: 192.168.1.7 207.15.99.33
/etc/hosts.deny
sshd: ALL
The followings are concoctions of many effective protection methods that I might or already implemented to protect my openssh servers.
*Implement a new method of port knocking: Single Packet Authorization. (Only works for highly technical end users, Not implemented yet)
*Implement pam_tally to limit and stop dictionary attacks. I recently wrote about this
*Implement pam_abl to stop brute force password attacks. I recently wrote about this . This method is better than pam_tally since pam_abl blocks both hosts and users.
*Implement swatch to examine /var/log/secure for failed loggins and add a route in the server routing table to block further connections to null.
*Put Openssh server in a virtual host like OpenVZ.
*Set up Openssh server in a bastion host and then user log in to this server first before a user can continue ssh to any other servers. For example, user has to ssh into a bastion hardened Openssh server in DMZ, after that this user has to ssh into another hardened Openssh server in LAN and from there this user can ssh to other servers in LAN. At each server, users must have at least different user names and/or good passwords along the way.
* Use ChrootDirectory in Openssh 4.9p1 or later to chroot user shell accounts. I implemented this and wrote this article
* Put ssh users in to a jail or very much chroot the openssh server. I implemented this and wrote this article
*Implement iplist/ipblock to block all accesses from all countries with the exception of connections from US IP addresses. I wish I could narrow down even to the Internet Providers like Comcast or Verizon but that is a bit too ambitious. I had an article about this method here.
* Implement this iptables rules from this ITwire article. This one works GREAT.
/sbin/iptables -N SSH
/sbin/iptables -N SSH_ABL
/sbin/iptables -A SSH -m recent –name SSH_ABL –update –seconds 3600 -j REJECT
/sbin/iptables -A SSH -m recent –name SSH –rcheck –seconds 60 –hitcount 5 -j SSH_ABL
/sbin/iptables -A SSH_ABL -m recent –name SSH_ABL –set -j LOG –log-level warn –log-prefix “ABL: +SSH: ”
/sbin/iptables -A SSH_ABL -j REJECT
/sbin/iptables -A SSH -m recent –name SSH –rcheck –seconds 2 -j LOG –log-level warn –log-prefix “RATE: ”
/sbin/iptables -A SSH -m recent –name SSH –update –seconds 2 -j REJECT
/sbin/iptables -A SSH -m recent –name SSH_ABL –remove -j LOG –log-level warn –log-prefix “ABL: -SSH: ”
/sbin/iptables -A SSH -m recent –name SSH –set -j ACCEPT
/sbin/iptables -A INPUT -m state –state NEW -p tcp -m tcp –dport 22 -j SSH
*Implement Denyhosts to blocks IP after a series of failed loggins. Once again, in the past I implemented this as the only method but I gave up and searched for better methods. I hate to babysit all the IP addresses got added to /etc/hosts.deny. I DO NOT RECOMMEND THIS METHOD, however, at the time I used Denyhosts, it was in some earlier versions than its current version, but still….
Anyone who knows me will tell you that I really don’t like trucks, its just not my thing. I prefer small nibble sports cars, but thanks to Top Gear if I was to get a truck it would definitely be a Toyota.
Top Gear tries to destroy the Toyota Hilux
Top Gear vs the North Pole