LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-08-2011, 01:54 PM   #76
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2

So when I use this, which I used now to isolate the machine:

Code:
iptables -A INPUT -p tcp -m tcp -s <your-ip> --dport 22 -j ACCEPT
iptables -A INPUT -j DROP

You will also want to shut down port 22 on the output. Your SSH connection shouldn't use port 22 outbound
iptables -A OUTPUT ! -d <your ip> -j DROP # Blocks all packets NOT going to your IP
Your commands


Code:
#!/bin/bash

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
should reverse that?

Or should I follow the exact same route I took to isolate, but in the opposite direction, like:

Code:
iptables -A OUTPUT ! -d <your ip> -j ACCEPT
iptables -A INPUT -j ACCEPT
For argument sake let's say that this will be my last action after I have completely set up the server with all security measure are in place.
 
Old 05-09-2011, 02:20 AM   #77
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
Update:

I have requested a re-install of the machine, once I get the confirmation from my hoster that it has been finished, I will first isolate the machine again, apply the security tips discussed here and check with you guys if need be (and if you're still willing to lend me a hand
 
Old 05-09-2011, 04:33 AM   #78
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
I am sure any of us would be more than happy to help you in getting the machine secured.

In the discussion on the iptables firewall, we failed to mention an important point. By default, iptables rules like those you applied to isolate the machine are not persistent in that the will not restore following a reboot. In order to get the to automatically apply on startup you need to call a script for this purpose. Thankfully, there are two standard scrips that come with iptables that do the job for you: iptables-save and iptables-restore. Once you have your firewall in place and configured how you want it, you can run the command:

Code:
iptables-save > /etc/iptables.rules (or some other name and location of your choice)
This will create a file called iptables.rules that will have the commands necessary to restore your settings. You can then use the command:
Code:
iptables-restore < /etc/iptables.rules
to restore it. Note the > and < and the direction. This is called input re-direction and is one of the most powerful and useful features of the CLI.

Where to place the restore command is a matter of some debate, but any of the good how-to documents on iptables will have recommendations. On my servers, running Ubuntu Server edition, which is similar to Debian, I have the following line in my /etc/network/interfaces for eth0
Code:
pre-up iptables-restore < /etc/iptables.rules
This puts the rules in place just before the ethernet port is activated.

I also would like to comment on your question about reversing the rules to undo them. You actually have the right idea and almost has the right syntax. When you want to delete a rule from iptables you use the same syntax as when you ADD a rule to iptables (e.g. iptables -A INPUT ...) except that instead of -A for add, it is -D for drop with everything else being the same. So a drop rule would be iptables -D INPUT ...
 
2 members found this post helpful.
Old 05-10-2011, 08:06 AM   #79
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
Ok,

machine has had a low level (0 fill) format and a reinstall.

It has Debian Squeeze and Plesk 10.2 freshly installed.

I have logged in to Plesk and entered the IP-adresses which the machine is supposed to use, 8 in total.

I have logged out of Plesk and isolated the machine again using

Code:
iptables -A INPUT -p tcp -m tcp -s <your-ip> --dport 22 -j ACCEPT
iptables -A INPUT -j DROP

iptables -A OUTPUT ! -d <your ip> -j DROP
I reckon my first action now should be to prepare the machine for only accepting an SSH-connection from me, based on RSA authentication?
Next revoke the standard Root-rights when I log in through SSH, so that when I log in I will have to use sudo + password each time I need root-rights?
After that install one of those file-integrity checks.

And after these first three small steps I need to follow the rest of the tips to make it a secure hosting-server.

Am I thinking along the correct lines now?

Update:
Have set the RSA-key, though am confused now.....

I used this method to set the RSA-key and after that I went into /etc/ssh/sshd_config, toggled the setting for PasswordAuthentication to "no" and after that used /etc/init.d/ssh to restart the service.
Now when I login I get asked for my passphrase for the RSA-key, which is good, but after that I still get asked for a password to login, and that was the one I didn't see coming.
Is this normal behaviour?

Update 2:
I already get an idea what's going on. The command I used, restarted ssh and not sshd. But now I run into the problem that there is no sshd located in /etc/init.d/.
Why does this always happen to me?

Update 3:

Ok, current situation is close to what it's supposed to be I guess: I have made a new useraccount on the server by using
Code:
adduser "username"
.
It's a standard-account, so there should be no elevated rights if I'm correct.
Now, when I just use
Code:
ssh xxx.xxx.xxx.xxx
I get asked for my passphrase-RSA, after that my password and I am connected over SSH.
When I want to go to /root/ for example, access is denied. When I use "su" and fill out the root-password I can get access.

I think this is what I want.

But now there is still the possibility to login using
Code:
ssh root@xxx.xxx.xxx.xxx
, which gives me direct root-access after filling out the passphrase and the password. I think this is the one that needs to get disabled, correct?

No more updates for now, I will await some answers first

Last edited by MartinM; 05-10-2011 at 09:32 AM. Reason: Updates
 
Old 05-10-2011, 11:25 AM   #80
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
Getting prompted for a password after your RSA key password suggests that the RSA key may not have been working. Keep in mind, that you need to put the key in the folder for the user account you will be logging in as and that this should not be the root account. Being able to SSH in without a password is an indication that something has either been messed up in a major way or you have created and installed an SSH key without a password. If you have placed a key in the the .ssh folder under root, I suggest you remove it. The correct procedure would be to log in as a normal user and the su to root using a password. Restarting ssh, not sshd, should have worked. Do not turn off password authentication until you are sure you can login via the keys. If the key login is successful, you won't be asked for a password, except the one for the key.

I have attached what I typically use for an sshd_config which you can use to compare for your settings. Once you have the key based authentication and direct root login disabled (note the PermitRootLogin no line), then you can undo the iptables rules restricting access to your ip range only as you have dynamic IPs.
Attached Files
File Type: txt sshd_config.txt (1.9 KB, 5 views)
 
Old 05-10-2011, 11:50 AM   #81
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
I'm afraid I've really done it this time.....locked myself out.

I followed the steps as pointed out in the procedure:
- generated the key
- went to /home/my-username/.ssh/authorized_keys
- copied the id_rsa.pub into that directory

So far so good. At that time I got into the situation where while connecting I first got a request for the passphrase which belongs to the RSA-authentication, after that a request for the "normal" SSH-password.

At that time I decided to edit the sshd_config and re-uploaded it.

Restarted ssh, restarted the session and now I connot login anymore

Code:
MartCom-iMac:~ my-username$ ssh xx.xx.xxx.xx
Identity added: /Users/my-username/.ssh/id_rsa (/Users/my-username/.ssh/id_rsa)
Permission denied (publickey).
Attached is my sshd-config

An important extra remark is that I also installed OSSEC HID, install went fine, no remarks, no reports, all options default except for the Whitelist, I added my personal IP from my home-machine manually.

Update: important detail: thanks to the fact that I rebooted the machine in between, the Iptables-rule is removed and I do have Plesk as an point of entry. Don't know how to resolve it yet, but at least there still is an entrance. Hopefully it's a useful one.
Attached Files
File Type: txt sshd_config.txt (2.4 KB, 8 views)

Last edited by MartinM; 05-10-2011 at 12:05 PM. Reason: Update
 
Old 05-10-2011, 12:13 PM   #82
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 418Reputation: 418Reputation: 418Reputation: 418Reputation: 418
Quote:
- went to /home/my-username/.ssh/authorized_keys
- copied the id_rsa.pub into that directory
Um, I think this is your problem in that authorized_keys needs to be a file containing the contents of any allowed keys, not a directory. On my server, my authorized_keys files contains a key for each of the computers I use to connect.

I'm not sure how to correct this one remotely, you may need to get someone local to log in and reset sshd to allow password logins. By the way, you can leave password logins enabled until you're sure that your keys are working correctly.
 
Old 05-10-2011, 01:10 PM   #83
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
Well, one thing's for sure, OSSEC HID is running

Code:
OSSEC HIDS Notification.
2011 May 10 19:50:04

Received From: mmn001->/var/log/auth.log
Rule: 5703 fired (level 10) -> "Possible breakin attempt (high number of reverse lookup errors)."
Portion of the log(s):

May 10 19:50:03 mmn001 sshd[12157]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.97.194] failed - POSSIBLE BREAK-IN ATTEMPT!
May 10 19:50:03 mmn001 sshd[12156]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.97.194] failed - POSSIBLE BREAK-IN ATTEMPT!
May 10 19:50:00 mmn001 sshd[12152]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.97.194] failed - POSSIBLE BREAK-IN ATTEMPT!
May 10 19:50:00 mmn001 sshd[12150]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.97.194] failed - POSSIBLE BREAK-IN ATTEMPT!
May 10 19:50:00 mmn001 sshd[12151]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.97.194] failed - POSSIBLE BREAK-IN ATTEMPT!



--END OF NOTIFICATION
And since even I cannot get in on ssh, I guess his efforts will be useless as well :P
 
Old 05-10-2011, 01:23 PM   #84
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by Hangdog42 View Post
Um, I think this is your problem in that authorized_keys needs to be a file containing the contents of any allowed keys, not a directory. On my server, my authorized_keys files contains a key for each of the computers I use to connect.
I'm sure you're right, I misread the instructions.

Quote:
On each machine to which where you want to login, put /home/username/.ssh/id_rsa.pub into /home/username/.ssh/authorized_keys.
I read that as "you need to put the id_rsa.pub in the authorized_keys directory".

Now, when I look in a id_rsa.pub file, I see the contents starts with "ssh-rsa" and ends with an "account-name". In the instructions it says that if you want to use several keys, you need to "concatenate" them in that authorized_keys file. Could someone please explain what concatenate means in "English for Foreigners and n00bs"
 
Old 05-10-2011, 02:58 PM   #85
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
"concatenate" means to join together into one unit. For example, two number strings: "123" and "456". If I were to concatenate them, the result would be "123456." Another way to think about it would be to say append the data to the end.

In a previous post I mentioned input and output redirection on the command line using > and <. When using output redirection > will overwrite the contents, while >> will append or concatenate the output. Before you make changes to your authorized_keys, be sure to make a temporary copy of it in case you make a mistake (been there done that).
 
Old 05-10-2011, 03:14 PM   #86
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
Ok, so if id_rsa.pub #1 is

Code:
ssh-rsa
blablablablablablabla
blablabla user1@mmn001.local
and id_rsa.pub #2 is

Code:
ssh-rsa
blibliblibliblibliblibli
bliblibli user2@mmn001.local
my authorized_keys file should simply be

Code:
ssh-rsa
blablablablablablabla
blablabla user1@mmn001.local
ssh-rsa
blibliblibliblibliblibli
bliblibli user2@mmn001.local
Is that correct?

Last edited by MartinM; 05-10-2011 at 03:16 PM.
 
Old 05-10-2011, 03:19 PM   #87
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 418Reputation: 418Reputation: 418Reputation: 418Reputation: 418
Quote:
Originally Posted by Noway2
be sure to make a temporary copy of it in case you make a mistake (been there done that).
+1. That is one of those mistakes that is painful enough that you only make once. Unless you're me.


When I add a key, I always copy authorized_keys to authorized_keys.backup and then use:

cat authorized_keys.backup id_rsa.pub > authorized_keys


You probably don't want to use a text editor as some of them introduce line breaks that will screw up the key. The key has to be on a single line.

Quote:
Is that correct?
Yeah, just make sure the keys are all on a single line, no breaks.

Last edited by Hangdog42; 05-10-2011 at 03:23 PM.
 
Old 05-10-2011, 03:52 PM   #88
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
Ok,

I'll make a new authorized_keys file, with the correct id_rsa.pub's in it and ask the hoster to locally log in to the machine tomorrow and place that file in the correct location.

Quote:
Originally Posted by Hangdog42 View Post
You probably don't want to use a text editor as some of them introduce line breaks that will screw up the key. The key has to be on a single line.
Can I simply use nano for that in the future?


That should do the trick I guess and I should be able to login using RSA authentication from that moment on, since I believe that my sshd_config is correct the way it is now.

After that I will make new RSA-keys based on a different passphrase, since the hoster will be in possession of the current keys. Or am I being too suspicious now?

Last edited by MartinM; 05-10-2011 at 03:54 PM.
 
Old 05-10-2011, 04:33 PM   #89
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 418Reputation: 418Reputation: 418Reputation: 418Reputation: 418
Quote:
Originally Posted by MartinM
Can I simply use nano for that in the future?
You probably could, but I use cat and redirects just to be safe.

Quote:
Originally Posted by MartinM
After that I will make new RSA-keys based on a different passphrase, since the hoster will be in possession of the current keys. Or am I being too suspicious now?
Well, as long as the hoster doesn't have access to the private key, you probably don't have to worry. Remember the point behind a public/private keypair is that the public key is for distribution and as long as the private key is secure, you're good. There isn't a way to get the private key from possession of the public one.
 
Old 05-10-2011, 11:23 PM   #90
dman777
Member
 
Registered: Dec 2010
Distribution: Gentoo
Posts: 232

Rep: Reputation: 8
If he is going to use keys for logging in, wouldn't AES encryption be best(instead of RSA)?

If decides to use passwords for logging in SSH...wouldn't ECC encryption be best?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[iptables] How to block brute force attacks? littlebigman Linux - Software 2 04-05-2011 04:48 AM
[SOLVED] Server receiving a lot of brute force SSH attacks the182guy Linux - Newbie 6 10-16-2009 08:27 AM
[SOLVED] MySql-ban brute force attacks? qwertyjjj Linux - Software 3 08-10-2009 05:28 AM
Does anyone know if guardian can be set to block brute force attacks and only brute f abefroman Linux - Software 2 06-05-2008 10:55 AM
Question on Brute Force Attacks Mad Mike Linux - Security 4 10-16-2006 10:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:03 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration