LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Blogs > Angelo Fo. personal blog
User Name
Password

Notices

Angelo Fo. Blog [My OpenSource Project News, previews & announcements of my free posts on http://digitalpatch.blogspot.com]

In this blog I'll talk you about my projects about GNU/Linux and solutions regarding security, software development and my own FOSS projects.

I will also publish "previews & announcements" of my free posts on DigitalPatch (Security Blog)

Note: Digital Patch Posts by Angelo Fonzeca are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License and are based on a work at http://digitalpatch.blogspot.com


NOTE: If you are interested in IT Security, join us at "GNU/Linux Security & Hardening" group on Linkedin
Rate this Entry

OpenSSH daemon hardening ( Part 1 ) - Modify the configuration file [ANNOUNCEMENT]

Posted 12-10-2010 at 08:23 AM by angelo.fonzeca
Updated 12-13-2010 at 06:29 AM by angelo.fonzeca

Introduction

OpenSSH is a daemon (a "service" in Unix environments) which helps system administrators to manage server remotely.
The SSH daemon is "similar" to "telnet" in the sense that it provides a remote shell for accessing Unix or GNU/Linux systems.
The main difference is that the latter doesn't use encryptation during the session, so it's easily to intercept the content of the communication between two machines (typically a client/server communication) by using a "man-in-the-middle" attack.
On the contrary, OpenSSH allows encrypted communication between two "points" so it's more difficult to intercept information for third subjects.
The service also supports "tunneling" so it's easily to interact with other services on machine in addition to SSH, by using a secure tunnel and port-forwarding created by the ssh connection itself.

For example, if you have your lan behind a Linux Based Firewall which offers only a SSH access from the internet to itself, by connecting a client via SSH you will have access to the Firewall BUT you could have also access to an intranet db behind the firewall (e.g. Mysql). That's why OpenSSH can also forward communication to a destination port on another machine.

This feature helps system administrators to provide services without having to open (expose to attack) all the daemons(on the same or other machines) directly to the Internet. (It's ok, VPN could be implemented for intranets... but this is another story).

Another feature of OpenSSH is that it allows secure FTP. It is a sort of FTP but the communications are encrypted.

There is another type of attack called "brute force attack"... It consists of sending - by using a particular software - passwords taken from a dictionary associated with common usernames (eg. root, admin, test, ecc.) of your server.
If the users of the server have not set good password, the attacker could "guess" it so he/she had access to the system.

In the next paragraph, I'll show you how to harden OpenSSH (make more robust) by modifying its basic configuration and, if it's possible, by activating access via RSA keys method so you can by-pass many of the problems described above.

These improvements are very important, especially if you need to expose your OpenSSH service to the Internet for reaching your server from anywhere and you can't limit the access from specific static IP Addresses (e.g. you connect yourself to the server by using a smartphone and you have a dynamic IP...).

Anyway, always follow these rules:

1) The most important action you can do to deny attacks to SSH... is upgrading your service as soon as possible when bug fixes are available
2) Set the system to require complex passwords when a user set it
3) Analyze logs and cast a glance to "strange" access
4) Limit the access to few users only (if you can) and limit the access to the server from well-know IP addresses (if you access with static IP address) by using your firewall, iptables on GNU/Linux or by limiting them using the OpenSSH configuration files.



Why an attack could be possible?

You know... All software are subject to "bugs" (errors in the code). Bugs are used by the attackers ( people who wants to have access to your private data ) for introducing themselves illegally into a system.
For example, if you have a bug into your OpenSSH daemon it could cause a "vulnerability" which could allow attackers to penetrate your system and steal your data. Indeed, they use "exploit" software that utilize a vulnerability to "broke" the daemon and have privilege escalation.

If you need more information about this aspect, take a look to:

http://en.wikipedia.org/wiki/Exploit_(computer_security)

Anyway... To avoid some of these problems, there are some parameters of the configuration file that allows the system administrator ( that's you! ) making more "robust" the daemon setup.
In the next paragraph, you will see some "tricks" regarding OpenSSH.


The post continues on DigitalPatch
Posted in Linux Security
Views 1131 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 05:51 PM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration