Step 1: Login
Posted 08-20-2012 at 01:59 PM by kbscores
So this weekend I was doing some research on limiting remote logins. There are so many ways to login to a system the easiest way is just to block everything and then allow essential protocols through. Most common way to access a Linux system remotely is through SSH.
I always thought that getty was used in conjunction with SSH for logging into a system, but it is not. Silly me. So how it works is getty is first checked by init, if everything looks good init spawns a getty process for each available terminal or serial connection.
Note: If init is killed getty dies with it poor getty.
Upon login getty grabs the username and password then passes that information to login. If username and password are correct login then runs the shell specified. Once the shell is terminated init spawns another getty instance for that terminal.
Note: The kernel has no knowledge of logins it is all handled by system programs
Ok so what about SSH?
SSH handles logins and manages its own set of data. This data is stored in the .ssh file within the users home directory. For example when you log into machineA from machineB a record is created on machineB to note that machineA is a known host. So when you log into machineA again from machine ssh knows it is a trusted machine. Any new hosts are automatically added to that specific user’s file. If a host’s identification information changes ssh will warn the user about this to prevent unauthorized access to that machine.
Note: If you are warned and the machine was actually changed and not hijacked all that is required is to remove the entry for that host in ~/.ssh/known_hosts.
So upon a successful login either a pre-specified command is ran or it will log the user into that computer over a encrypted connection. Once a user logs in they are provided what is called a pseudo terminal; however, a pseudo terminal is not always necessary.
The session terminates after command is finished or shell is exited.
So how do you limit ssh connections?
As far as I can tell PAMlimits will allow connections to be capped on a person to person basis. This means user Susie can only have x number of logins to the server, where x is the number of logins that have been set. So how do you accomplish this?
Add this line to /etc/pam.d/sshd:
session required pam_limits.so
Next change UsePAM to yes in /etc/ssh/sshd_config
So what about total number of simultaneous connections? Can those be limited?
Yes – by limiting iptables connections to port 22.
Here is the command to use –
[root] # iptables –I INPUT –p TCP --dport 22 --syn –m connlimit --connlimit-above 9 –j REJECT
So – with that I think I am going to work on a guide for iptables.
I always thought that getty was used in conjunction with SSH for logging into a system, but it is not. Silly me. So how it works is getty is first checked by init, if everything looks good init spawns a getty process for each available terminal or serial connection.
Note: If init is killed getty dies with it poor getty.
Upon login getty grabs the username and password then passes that information to login. If username and password are correct login then runs the shell specified. Once the shell is terminated init spawns another getty instance for that terminal.
Note: The kernel has no knowledge of logins it is all handled by system programs
Ok so what about SSH?
SSH handles logins and manages its own set of data. This data is stored in the .ssh file within the users home directory. For example when you log into machineA from machineB a record is created on machineB to note that machineA is a known host. So when you log into machineA again from machine ssh knows it is a trusted machine. Any new hosts are automatically added to that specific user’s file. If a host’s identification information changes ssh will warn the user about this to prevent unauthorized access to that machine.
Note: If you are warned and the machine was actually changed and not hijacked all that is required is to remove the entry for that host in ~/.ssh/known_hosts.
So upon a successful login either a pre-specified command is ran or it will log the user into that computer over a encrypted connection. Once a user logs in they are provided what is called a pseudo terminal; however, a pseudo terminal is not always necessary.
The session terminates after command is finished or shell is exited.
So how do you limit ssh connections?
As far as I can tell PAMlimits will allow connections to be capped on a person to person basis. This means user Susie can only have x number of logins to the server, where x is the number of logins that have been set. So how do you accomplish this?
Add this line to /etc/pam.d/sshd:
session required pam_limits.so
Next change UsePAM to yes in /etc/ssh/sshd_config
So what about total number of simultaneous connections? Can those be limited?
Yes – by limiting iptables connections to port 22.
Here is the command to use –
[root] # iptables –I INPUT –p TCP --dport 22 --syn –m connlimit --connlimit-above 9 –j REJECT
So – with that I think I am going to work on a guide for iptables.
Total Comments 0
