LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 05-08-2007, 09:37 AM   #1
slacksubgenius
LQ Newbie
 
Registered: Jun 2006
Location: Uk
Distribution: Slackware
Posts: 5

Rep: Reputation: 0
How to secure ssh in Ubuntu and Slackware


Hi, let me know if there are any problems, hope it helps someone.
This site has really helped me, Thanks one and all.


UPDATE- Re-written sshd section adding comments.
++++++++++++++++++++++++++++++++++++++++++++++++++++



Installing and securing sshd
==============================



Install ssh openssh



Edit /etc/ssh/sshd_conf

# change or add these options

#This will disable ssh protocol 1, breaking compatibility with some clients and rendering version 1 options ineffective
#I have not included the v1 options here.

#Both of my clients support Protocol Version 2, we will disable version 1.
Protocol 2

# Replace 10.0.90.23 with your ip address
# Run sudo ifconfig -a
ListenAddress 10.0.90.23

# Replace 55222 with port number, one not in use up to 65535. This will help to stop automated attacks against ssh on port 22
# We can also specify -p on the command line which will override this and make sshd run on a specific port
#/usr/sbin/sshd -p 55229
Port 55222


#I am using IPv4 on 1 network adaptor, replace 10.0.90.23 with your ip address
#This binds sshd to just one ip address, by default sshd listens on all network addresses using both IP versions 4 & 6,
#we can restrict it to IPv4 by doing this. (This breaks IPv6 compatability)
ListenAddress 10.0.90.23
AddressFamily inet


Logging

#man syslog.conf for more information on syslog
#The defaults are fine for our needs
SyslogFacility AUTH
LogLevel INFO

#The server will give you 1 minute to enter your passphrase sucessfully before disconnecting the session.
LoginGraceTime 1m


#Disables root login
#Can enforce further by adding root to DenyUsers option, and by adding any account but root to the AllowUsers option
# (See Below) for using forced commands with keys for root
PermitRootLogin no


#This will make sshd check the users home directory for the correct file permissions and owners before allowing a log in.
#You can do this by running as a user "chmod -R o-w ~"
StrictModes yes


#This uses .rhosts/.shosts and /etc/host.equiv and trusts a file that can be manipulated by a user, .rhosts, we set this to no.
#See rhosts below

HostBasedAuthentication no



#######################################################################
.rhosts
2 hosts
192.168.1.2 -user bob
192.168.1.3 -user sub

#Very basically this means that as a user on a machine you can supply a file (.rhosts .shosts /etc/equiv) on 192.168.1.2
#containing the machines and usernames that a remote user can use to log onto the local machine without a password.

#Example 1 .rhosts placed in bobs home directory on 192.168.1.2
192.168.1.3 bob
#would allow bob to log in from 192.168.1.3 as the user bob on 192.168.1.2

#Example 2
192.168.1.3 sub
#would allow sub to log in from 192.168.1.3 as the user bob on 192.168.1.2

#Example 3
+ bob
#would allow the user bob to log in from any host as user bob on 192.168.1.2

#Example 4
++
#would allow any user on any host to log in as user bob on 192.168.1.2

All without a password!
#########################################################################



#Ignores users ~/.ssh/known_hosts
IgnoreUserKnownHosts yes



#Maximum login attempts per connection before disconnection
MaxAuthTries 4


#This will allow you to log into an account using a public-key
PubkeyAuthentication yes



#This will allow you to log into an account using a password, (we will leave this as yes for now).
#changing this to no will stop any account logging in with a password.
PasswordAuthentication yes


#When the PasswordAuthentication above is set to yes this option will deny account login with a blank password
PermitEmptyPasswords no



# This is the path to the authorized_keys file, containing your public-key.

# bob /home/bob/.ssh/authorized_keys
# root /root/.ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys


#This will disable tcp forwarding (not a solution but it removes it from this configuration)
AllowTcpForwarding no


#If port forwarding must be used then use the PermitOpen to allow cetain destination hosts
#I have a network camera on 10.0.90.7
PermitOpen 10.0.90.7


#This disables X forwarding so ssh -X or -Y will not work.
X11Forwarding no


#This prints /etc/motd on connection
PrintMotd no

#This option will print the date and time and ip address of the last login
PrintLastLog no


#This is the default,
#TcpKeepAlive is to detect a dead connection.

TCPKeepAlive yes


####################################################
# DENY USERS,ALLOW USERS, DENY GROUPS. ALLOW GROUPS,
# Default is all users and groups are allowed
# The are processed in the order above
# This option allows you to add users or username patterns and even hosts that are allowed to log in via ssh
# ONLY THESE users+hosts we will now call patterns will be allowed to log in via ssh.*
# EXAMPLE OF PATTERNS, wildcards * are accepted so.....

AllowUsers slack*
# Would allow usernames slack followed by any combination, so slackbob, slackbob4, slacksubgenius, slacksubgenius6, slackwarerocks
# all to log in via any host.

Allow Users slack*@192.168.1.2
# Would allow login for the same username pattern as above, but this time only from host 192.168.1.2

AllowUsers slack*@192.168.1.*
# would all the same usernames as above and allow them to attempt to login from any machine on your lan (assuming 192.168.1.* address)

# For multiple entries seperate with space
AllowUsers slack*@192.168.1.* slack*@216.9.*.* bob* root@216.9.*.*
# would allow the same pattern as above but also from an external host pattern 216.9.*.* as well (my mobile phone provider)
# and the username pattern bob so bobdodds, bob, bobittybob and root could all log in from any Host Pattern.
##########################################################################

#change USERNAME to your username and host combination.
AllowUsers USERNAME
DenyUsers root


#
UsePrivilegeSeparation yes




sudo /etc/init.d/ssh restart








On The Client
============

#Generate Key

ssh-keygen -t rsa
#Press enter for defaut location
add passphrase #If left blank then no passphrase is required, which is great for scripting
repeat passphrase #but not as secure.




#Copy Key To SSH Sever

# Replacing 55222 with sshd port you have decided to use in sshd_conf above, 10.0.90.23 with ip of your ssh server
# and USERNAME with your username on the ssh server

scp -P 55222 .ssh/id_rsa.pub USERNAME@10.0.90.23:/home/USERNAME/.ssh/authorized_keys
# enter password


#To test


ssh -p 55222 USERNAME@10.0.90.23
#enter passphrase this time
#Stay logged in, continued below


On Server
===============


#Setting permissions

# continued from above

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys*


Edit /etc/ssh/sshd_conf


Change PasswordAuthentication yes
To PasswordAuthentication no

#Save and exit


sudo /etc/init.d/ssh restart
exit # to exit ssh session

Last edited by slacksubgenius; 05-31-2007 at 04:06 AM.
 
Old 05-09-2007, 02:34 AM   #2
fukawi2
Member
 
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 448

Rep: Reputation: 34
Comprehensive

Have you had a look at the Wiki? Perhaps you'd like to contribute there?
http://wiki.linuxquestions.org/wiki/Securing_ssh
 
Old 05-09-2007, 03:40 AM   #3
reverse
Member
 
Registered: Apr 2007
Distribution: Gentoo
Posts: 337

Rep: Reputation: 30
Note that you've simply provided some commands and how to edit sshd_config. A newbie can follow your guide, and then all of a sudden he's missing functionality and he has no idea how to fix it. If you care about my opinion on how you could improved this "guide" .. here it is: why not, next to every action you ask the user to make, provided a paragraph as to who should do why, and why they should do it, and what the "downsides" are. Quoting from the manpages directly would be pretty useless IMHO as then a large part of your guide could be replaced with "rtfm for sshd_config and act accordingly".

Also, you are assuming two things: One is the fact that the Ubuntu user is not running under root (case in which all the sudo'ing would be pretty much redundant) and the other is that the Slackware user is running under root.

And some other things, like the Slackware user is supposed to make SSHD run on system boot. Well if they're not running SSHD already, why do they need to secure it?

And a bunch of other things I won't go into right now because I lack the time and or interest.

Just trying to be constructive, good luck!

Last edited by reverse; 05-09-2007 at 03:44 AM.
 
Old 05-09-2007, 04:03 AM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Why include instructions for a particular editor along with securing ssh?
You may want to add some items to edit in /etc/ssh/sshd_config:
# disable ssh protocol 1
protocol 2

# Only allow these users to login. This will disable all system account logins
allowusers <user1> <user2>

---
Manpages to read:
man ssh_config
man ssh
man sshd_config
 
Old 05-09-2007, 05:23 AM   #5
slacksubgenius
LQ Newbie
 
Registered: Jun 2006
Location: Uk
Distribution: Slackware
Posts: 5

Original Poster
Rep: Reputation: 0
Thanks, This my first attempt at anything like this and I appreciate all comments and criticism.

reverse

Quote:
If you care about my opinion on how you could improved this "guide" .. here it is: why not, next to every action you ask the user to make, provided a paragraph as to who should do why, and why they should do it, and what the "downsides" are.
Thanks I will do this, I should have done this to begin with.


Quote:
Also, you are assuming two things: One is the fact that the Ubuntu user is not running under root (case in which all the sudo'ing would be pretty much redundant) and the other is that the Slackware user is running under root.
Thanks, This was part of a guide for a torrent box I put together for a desktop system so I could ssh in and use screen elinks and rtorrent to check torrents etc from my blackberry when out, I have assumed a few things. I will split them up and tweak them to make this clearer.



Quote:
And some other things, like the Slackware user is supposed to make SSHD run on system boot. Well if they're not running SSHD already, why do they need to secure it?

Thanks I will add a section about starting sshd, editing /etc/rc.d/rc.inet2 etc
It's running out the box on a default desktop Slackware install so I assumed it still would be.






jschiwal

Quote:
Why include instructions for a particular editor along with securing ssh?
Thanks, I had used nano throughout this guide and the rtorrent guide as I thought it would be the easiest for people to get used to using, without having to learn any commands.
I use vim but did not know if everyone would be comfortable using it.
Would you suggest changing this?

Quote:
You may want to add some items to edit in /etc/ssh/sshd_config:
Great I will add these, I will ammend it and try to explain every option as I go one by one.



fukawi2
Thanks I'll add to that when I have finished

Last edited by slacksubgenius; 05-09-2007 at 05:25 AM.
 
Old 05-31-2007, 04:07 AM   #6
slacksubgenius
LQ Newbie
 
Registered: Jun 2006
Location: Uk
Distribution: Slackware
Posts: 5

Original Poster
Rep: Reputation: 0
Redone
Thanks for your comments.
 
Old 05-31-2007, 12:44 PM   #7
hollywoodb
Member
 
Registered: Aug 2003
Location: Minnesota, U.S.A.
Distribution: Debian, openSUSE
Posts: 400

Rep: Reputation: 30
Also, there is /etc/hosts.allow and /etc/hosts.deny:

/etc/hosts.deny
Code:
sshd: ALL
will block everyone, except those specified in hosts.allow:
Code:
sshd: 192.168.1. , 172.155.232.12 , 246.223.212.25
for example.
 
Old 05-31-2007, 07:55 PM   #8
troybtj
LQ Newbie
 
Registered: May 2007
Location: South Dakota
Distribution: Debian Etch (8), XP (1), FreeBSD (1), HP-UX (1)
Posts: 23

Rep: Reputation: 15
This is a good guide for somebody familiar with ssh/sshd. To put something like this together to walk somebody fresh to *nix to secure would take a lot more text.

Your second "Friend" is the Fail2Ban package, where users only get 1 or 4 tries at authenticating before they are locked out by iptables (linux). You set the number of failures in the config file.
 
  


Reply

Tags
rsa, secure, security, slackware, ssh, ubuntu


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How Secure is SSH? AvatarofVirgo Linux - Security 8 08-14-2011 12:37 PM
What is the best way to secure SSH? punjabipredator Linux - Security 21 01-04-2007 09:19 AM
LXer: University of Michigan Selects SSH Tectia for Secure System Administration and Secure File Transfers LXer Syndicated Linux News 0 04-25-2006 12:54 AM
How can I test if my SSH is secure nutthick Linux - Security 2 12-15-2004 10:59 AM
how to secure ssh chongluo Linux - Security 3 11-04-2004 07:16 AM


All times are GMT -5. The time now is 04:54 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration