Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been trying to improve the security of SSH here at the office but have run into a problem and I am unsure if there is a way around it.
Currently we use SSH for connecting to the network from outside - "ssh -X local.network.com"
We were getting alot of login attempts from outside the network so I added the DenyHosts program to the login server to deny any attacks on the network but there are still people trying and due to the strain on the server from tunneling up to 15 connections at once to the rest of the network, I'd like to set up non-standard ports then do port forwarding so that using SSH to local.network.com along with the correct port you could SSH directly to your workstation.
I have set up the ports in sshd_config and set up port forwarding on the router but there is the problem of the known_hosts file. Any time an SSH is done to local.network.com with a different port number it gives an error: "Offending key in /home/user/.ssh/known_hosts:1"
Is there a way to get around this problem? Maybe a setting with the SSH client?
If you are forwarding ports on the gateway, you can forward them to port 22 on the destination. So port 2000 could go to hosta port22, port 2002 could go to hostb port22, etc. However looking at my known_hosts file, I don't a port number, just an IP address. Look at the first entry of the known_hosts file and see how it's information differs from what you know about the connection attempt. Does it start with an IP address or a canonical name? Is the user's connection static or dynamic? If the users IP address changed due to a DHCP lease expiring, the IP address listed in known hosts won't match.
Could you look in the logs and see what the connection was that was rejected?
I would recommend using pubkey authentication. The instructions are in the comments of the /etc/ssh/sshd_config file; just above the "Use_Pam Yes" line. Make sure the users understand that they need to protect their private keys with a passphrase.
If a user always connects from the same location, you and use "AllowUsers" with the form "user@IP" or "user@hostname". Otherwise you can just list the Username. That will deny attempts from other users including system users who are the target of brute force attacks because they are known.
Changing the external port number for ssh will reduce the number of script kiddie attacks, but won't help if this is a targeted attack from a bot net. You might want to look at using fail2ban to extract the offenders IP address and add it to a blacklist that is blocked automatically.
DenyHosts is doing the same this that fail2ban does I believe. If someone attempts to get in multiple times their IP is blocked but of course it doesn't do much if someone has a dynamic IP.
What I'm more concerned about right now is limiting the bandwidth that is put on the server from all of the incoming connections. It isn't bad during the week but on weekends when 10-15 people may be working at the same time, causing the server to become busier where using port numbers and forwarding them would skip using the server as the access point.
I have been trying to improve the security of SSH here at the office but have run into a problem and I am unsure if there is a way around it.
Currently we use SSH for connecting to the network from outside - "ssh -X local.network.com"
We were getting alot of login attempts from outside the network so I added the DenyHosts program to the login server to deny any attacks on the network but there are still people trying and due to the strain on the server from tunneling up to 15 connections at once to the rest of the network, I'd like to set up non-standard ports then do port forwarding so that using SSH to local.network.com along with the correct port you could SSH directly to your workstation.
I have set up the ports in sshd_config and set up port forwarding on the router but there is the problem of the known_hosts file. Any time an SSH is done to local.network.com with a different port number it gives an error: "Offending key in /home/user/.ssh/known_hosts:1"
Is there a way to get around this problem? Maybe a setting with the SSH client?
The error you are getting with the known_hosts is because ssh is doing what it is supposed to and saying infomation has changed.
in the users home directory there is a .ssh folder with the file known_hosts in it the :1 is the corresponding key number.
If you had not ever connected to the server then it would not be an issue. To get around this vi the known_hosts file and remove the corresponding line number and it will then prompt for you to accept the key once you attempt to connect.
I've found a solution. I knew what the problem was trying to connect. In order to use the same hostname but different ports I had to disable host key checking. The entire guide is here: http://linuxcommando.blogspot.com/20...-checking.html
Now I am able to SSH into the network from the outside to any computer(specified by port) while using the same hostname of "local.network.com"
I've found a solution. I knew what the problem was trying to connect. In order to use the same hostname but different ports I had to disable host key checking. The entire guide is here: http://linuxcommando.blogspot.com/20...-checking.html
Now I am able to SSH into the network from the outside to any computer(specified by port) while using the same hostname of "local.network.com"
There is no issue with the StrictHostKeyChecking no but i would recommend removeing the UserKnownHostsFile=/dev/null so that it warns that they are different and the user can accept it. That way if something changed it would at least be seen by the user rather than ignored because the key is being sent to dev/null
Host 192.168.0.*
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
