OpenSSH

Zabezpečení na straně serveru:

Protocol 2

PermitRootLogin no

AllowUsers jenda cenda cmelda

You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out).

ClientAliveInterval 300
ClientAliveCountMax 0

SSH time-lock tricks

You can also use different iptables parameters to limit connections to the SSH service for specific time periods. You can use the /second, /minute, /hour, or /day switch in any of the following examples.

In the first example, if a user enters the wrong password, access to the SSH service is blocked for one minute, and the user gets only one login try per minute from that moment on:

~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP

In a second example, iptables are set to allow only host 193.180.177.13 to connect to the SSH service. After three failed login tries, iptables allows the host only one login try per minute:

~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -j DROP

Rate-limit Incoming Port # 22 Connections

Both netfilter and pf provides rate-limit option to perform simple throttling on incoming connections on port # 22. Iptables Example

The following example will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds:

#!/bin/bash
inet_if=eth1
ssh_port=22
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent  --set
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent  --update --seconds 60 --hitcount 5 -j DROP

$IPT -A INPUT  -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
$IPT -A INPUT  -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${inet_if} -p tcp --sport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
# another one line example
# $IPT -A INPUT -i ${inet_if} -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 5-j ACCEPT

Port Knocking

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A sample port Knocking example for ssh using iptables:

$IPT -N stage1 $IPT -A stage1 -m recent --remove --name knock $IPT -A stage1 -p tcp --dport 3456 -m recent --set --name knock2

$IPT -N stage2 $IPT -A stage2 -m recent --remove --name knock2 $IPT -A stage2 -p tcp --dport 2345 -m recent --set --name heaven

$IPT -N door $IPT -A door -m recent --rcheck --seconds 5 --name knock2 -j stage2 $IPT -A door -m recent --rcheck --seconds 5 --name knock -j stage1 $IPT -A door -p tcp --dport 1234 -m recent --set --name knock

$IPT -A INPUT -m --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name heaven -j ACCEPT $IPT -A INPUT -p tcp --syn -j doo

Zabezpečení

• změna portu na jiný než výchozí

Port 12345

• změna adresy pouze na požadovanou

ListenAddress 192.168.1.1

• změna času čekání v sekundách na heslo

LoginGraceTime 120

• zkontrolovat, že máme zapnutou kontrolu oprávnění před loginem

StrictModes yes

• zákážeme přesměrování na GUI

X11Forwarding no

• počet pokusů o přihlášení (dovolíme 2x překlep)

MaxAuthTries 3

• zákaz účtů bez hesel

PermitEmptyPasswords no

Login

vypis textu pred zapsanim hesla

figlet TextTextText -c -w 80 >> /etc/issue.net

/etc/issue.net ...ala motd banner pro SSH

       _____ _             _ _   _           _   _
      |  ___(_)_ __   __ _| | | | | ___  ___| |_(_)_ __   __ _   ___ ____
      | |_  | | '_ \ / _` | | |_| |/ _ \/ __| __| | '_ \ / _` | / __|_  /
      |  _| | | | | | (_| | |  _  | (_) \__ \ |_| | | | | (_| || (__ / /
      |_|   |_|_| |_|\__,_|_|_| |_|\___/|___/\__|_|_| |_|\__, (_)___/___|
                                                         |___/
+------------------------------------------------------------------------------+
|                       ! ! ! W A R N I N G ! ! !                              |
+------------------------------------------------------------------------------+
|                                                                              |
| This system is for the use of authorized users only. Individuals using this  |
| computer system without authority, or in excess of their authority, are sub- |
| ject to having all of their activities on this system monitored and recorded |
| by system personnel.                                                         |
|                                                                              |
| In the course of monitoring individuals improperly using this system, or in  |
| the course of system maintenance, the activities of authorized users may also|
| be monitored.                                                                |
|                                                                              |
| Anyone using this system expressly consents to such monitoring and is advised|
| that if such monitoring reveals possible evidence of criminal activity, sys- |
| tem personnel may provide the evidence of such monitoring to law enforcement |
| officials.                                                                   |
|                                                                              |
+------------------------------------------------------------------------------+

Odkazy

• http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=175740
• https://howto.ccs.neu.edu/howto/windows/ssh-port-tunneling-with-putty/
• http://www.akadia.com/services/ssh_putty.html
• http://www.cs.uu.nl/technical/services/ssh/putty/puttyfw.html
• http://www.cryptofest.cz/2003/slajdy/sshtunel/ssh.html

navod na chrooted only SFTP access

• http://devtidbits.com/2011/06/29/implement-a-sftp-service-for-ubuntudebian-with-a-chrooted-isolated-file-directory/

[editovat] SFTP chrooted access only

Klienti pro SFTP přístup:

• Winscp - http://winscp.net/eng/index.php
• FileZilla - https://filezilla-project.org/
• Swish (pro OS Win) - http://www.swish-sftp.org/
• FireFTP (addon pro FireFox) - http://fireftp.net/
• sFTP Client (addon pro Chrome) - https://chrome.google.com/webstore/detail/sftp-client/jajcoljhdglkjpfefjkgiohbhnkkmipm?hl=en-GB
• BitKinex - http://www.bitkinex.com/sftpclient
• SmartFTP (30day eval) - https://www.smartftp.com/
• CyberDuck - https://cyberduck.io/
• ExpanDrive - http://www.expandrive.com/
• Fugu (Mac OS X) - http://rsug.itd.umich.edu/software/fugu/

Předpokládá se nainstalovaný OpenSSH server ("aptitude install openssh-server"). Postup (jako root):

1. groupadd sftponly (přidat skupinu pro SFTP přístup)
2. cat /etc/group | grep sftponly (zapamatovat id skupiny)
3. useradd [username] -d / -g [sftponly group id] -M -N -o -u [sftponly group id]
4. passwd [user name]
5. cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
6. nano +76 /etc/ssh/sshd_config
7. replace Subsystem sftp /usr/lib/openssh/sftp-server with Subsystem sftp internal-sftp
8. na konec souboru pridat:

Match group sftponly
ChrootDirectory /var/www
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

1. zkontrolovat, že adresář pro chroot existuje!!!
2. zkontrolovat, že adresář pro chroot má vlastníka i skupinu root!!!

Zakládání adresářů uvnitř chrootu:

mkdir test_rw
chown root:sftponly test_rw
chmod 775 test_rw (read write práva)
chmod 733 test_na (bez přístupu)

 SFTP chroot (2017)

/etc/ssh/sshd_config musi obsahovat:

Subsystem       sftp    internal-sftp
Match Group sftponly
        ChrootDirectory %h
        ForceCommand internal-sftp
        AllowTcpForwarding no
        X11Forwarding no
        PasswordAuthentication yes

1. zalozime skupinu

groupadd sftponly

1. zalozime jail (dir pro chroot)

mkdir /srv/jail

práva:

drwxr-x---  3 root    sftponly   40 Aug 23 10:37 jail

1. zalozime uživatele

mkdir /srv/jail/uživatel
useradd -g sftponly -s /bin/false uživatel
passwd uživatel

práva:

drwxr-x--- 3 root sftponly 40 Aug 23 10:37 uživatel

1. založíme podadresáře:

nemůže smazat ani upravovat, pouze číst (jde o hardlink na soubor jinde): -rw-r--r-- 2 root root 27 Aug 23 10:23 navod.txt obsluhovaná doména (může smazat ji i veškerý nechráněný obsah pokud neexistuje .lock):

drwxrwxr-x 3 root sftponly 48 Aug 23 10:24 www.neco.cz

adresář pro webserver (může smazat jej i veškerý nechráněný obsah pokud neexistuje .lock a není nastavený sticky bit):

drwxrwxr-t 2 root sftponly 40 Aug 23 10:38 http

obsah httpd:

-rw-r--r-- 1 glog sftponly  0 Aug 23 10:38 index.html
-rw-r----- 1 root root      0 Aug 23 10:14 .lock

struktura tedy vypadá takto:

/srv/jail                          <- root:sftponly 0755
/srv/jail/uzivatel                 <- root:sftponly 0755 (home/koren pro uzivatele)
/srv/jail/www.domena.cz            <- root:sftponly 1775 (nejde smazat, pokud obsahuje soubor nekoho jineho)
/srv/jail/www.domena.cz/http       <- root:sftponly 1775 (nejde smazat, pokud obsahuje soubor nekoho jineho)
/srv/jail/www.domena.cz/http/.lock <- root:root 0640 (diky nemu nejdou smazat dulezite adresare)
/srv/jail/soubor.txt               <- root:root 0644 (hardlink odjinud, user ho nesmaze ani neupravi, pouze read)

Přesměrování portu - SSH tunel

ssh -o Port=2222 -L 19999:localhost:19999 root@remote_server