LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices

Reply
 
Search this Thread
Old 09-05-2006, 09:06 AM   #1
sysconfig
Member
 
Registered: Sep 2006
Location: (.)
Posts: 44

Rep: Reputation: 15
How to :: Securing SSH: protocol SSH2 and hiding the direct access of root


1) Create a new and unique root access user. Login as root using a ssh connection such as Putty. Make sure you have the latest version of Putty that supports SSH2.

Add a user named Ďadminí or any name:

Quote:
# /usr/sbin/adduser <username>
-OR-
#useradd <u_name>

#useradd admin
Verify that you have added the user

Add user to the wheel group (this is the important step in this ducument)

(The Wheel group is a user group that can gain access to root on your server by using the su command. You can add and remove users from that group as required.)

Quote:
# /usr/sbin/usermod -G wheel admin
Change user permissions:

Quote:
# chmod 4750 /bin/su;chown root:wheel /bin/su
(why 4(to set SUID) in chmod? It appears that the 4 sets the SUID bit, If setuid bit is set, when the file (su) is executed by a user, the process will have the same rights as the owner of the file being executed (which is root who has rwx permissions)

Further the permissions are changed so that root has read write execute permissions (47 rws, as both owner execute and SUID are set x is replaced by s) the group has execute only permissions (5 --x) while all others have no acess to the file (0 ---)

Check su command permissions

Quote:
# ls -al /bin/su
The result should be: -rwsr-x--- 1 root wheel 34567 Mar 20 2005 /bin/su

Note: the file size and date may be different from the example.

Exit and relogin with the new user name admin and test out su command.

Quote:
# nano -w /etc/ssh/sshd_config
2) Next we will force the use of SSH2 by changing the line "#Protocol 2, 1" to:

Quote:
Protocol 2
Next, we will disable direct root login access by changing the line "#PermitRootLogin yes" to:

Quote:
PermitRootLogin no
Next, we will change the ssh port to a high level port instead of '22' by changing the line "'#Port 22" to:

Quote:
Port 7777
(7777 can be any other high number you desire and also available. ***Make sure this port is open if you already have a firewall installed, or you will be locked out)

Exit and save.

Restart SSH using the following command:

Quote:
/etc/rc.d/init.d/sshd restart
Now exit out and restart your SSH with 7777 (or the number you entered above) as the port. Start the terminal and login with the username (admin) created above.

Note:

If you made any mistakes and you are locked out, then you have to connect using telnet and correct the problem. After the problem is corrected, you must change your password, because Telnet may have exposed your password since it transmits log in data using plain text.

3) Have the server e-mail you every time someone logs in as root:
Quote:
# cd
# nano .bash_profile
And put this text at the very end:

Quote:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" support@yourdomain.com
(You can add several addresses by having a space in between. Make sure you also use an off-server email address, otherwise if the server is hacked, you won't receive any email alart.)

4) Now since everything is working well through SSH, you can disable Telnet:

Quote:
# nano -w /etc/xinetd.d/telnet
Change disable = no to yes
Save and Exit

Quote:
# /etc/init.d/xinetd restart
 
Old 09-06-2006, 06:01 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,953
Blog Entries: 54

Rep: Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732
hiding the direct access of root
Exactly wWhat benefit has that knowing everyone knows the box has a root account anyway?
]# getent group wheel


/usr/sbin/usermod -G wheel admin
Grand. Now everyone uses the admin account to ssh in instead of their own unprivileged account which is by far the better (efficient, controllable, auditable) way. And once they su to root all audit trails are gone. Fix that using Sudo and configure users to su to root to use a wrapper like Rootsh which logs all actions. Yes, it can syslog, so you can have your audit trails *remote*.


the permissions are changed so that root has read write execute permissions
No need to modify access rights on binaries. Could be ACL'ed through PAM this easy way using a standard PAM module: add line "auth required /lib/security/$ISA/pam_listfile.so item=user sense=allow file=/etc/su.allow onerr=fail" to /etc/pam.d/su, then add usernames, one per line, in /etc/su.allow. Done.


Port 7777
Nice. Security by obscurity, which provides NO SECURITY at all. If you want to guard access to SSH it's better (efficient, controllable, auditable) to restrict access (sshd_config, firewall, PAM) to known management IP's or ranges. If you're not able to do that then using one of the methods listed in the Linux - Security forum sticky Failed SSH login attempts should provide better (efficient, controllable, auditable) ways to thwart crackers. Oh, and run a backup SSH from Xinetd on a different port, just in case.


Just my thoughts.
 
Old 09-07-2006, 08:05 AM   #3
sysconfig
Member
 
Registered: Sep 2006
Location: (.)
Posts: 44

Original Poster
Rep: Reputation: 15
nice one....
 
Old 09-07-2006, 08:30 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,953
Blog Entries: 54

Rep: Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732
What is?...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
which telnet/ssh/ssh2 software to use? hongxing Linux - Software 4 10-23-2005 09:40 AM
SSH Root Access DediPlace Linux - Security 6 05-29-2005 11:05 AM
Confusing! SSH, ssh1, ssh2, protocols 1/2, ... overbored Linux - Software 3 09-23-2004 09:56 PM
Securing a system and its SSH install for access from the outside TheOneKEA Linux - Security 4 07-07-2004 03:27 PM
Securing root access vcheah Linux - Security 6 12-23-2001 03:03 PM


All times are GMT -5. The time now is 06:05 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration