LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-07-2009, 07:31 AM   #1
Myiagros
Member
 
Registered: Mar 2009
Distribution: Ubuntu, CentOS 5.3
Posts: 75

Rep: Reputation: 18
SSH security improvements


I have been trying to improve the security of SSH here at the office but have run into a problem and I am unsure if there is a way around it.
Currently we use SSH for connecting to the network from outside - "ssh -X local.network.com"
We were getting alot of login attempts from outside the network so I added the DenyHosts program to the login server to deny any attacks on the network but there are still people trying and due to the strain on the server from tunneling up to 15 connections at once to the rest of the network, I'd like to set up non-standard ports then do port forwarding so that using SSH to local.network.com along with the correct port you could SSH directly to your workstation.
I have set up the ports in sshd_config and set up port forwarding on the router but there is the problem of the known_hosts file. Any time an SSH is done to local.network.com with a different port number it gives an error: "Offending key in /home/user/.ssh/known_hosts:1"
Is there a way to get around this problem? Maybe a setting with the SSH client?
 
Old 10-07-2009, 09:15 AM   #2
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 680Reputation: 680Reputation: 680Reputation: 680Reputation: 680Reputation: 680
If you are forwarding ports on the gateway, you can forward them to port 22 on the destination. So port 2000 could go to hosta port22, port 2002 could go to hostb port22, etc. However looking at my known_hosts file, I don't a port number, just an IP address. Look at the first entry of the known_hosts file and see how it's information differs from what you know about the connection attempt. Does it start with an IP address or a canonical name? Is the user's connection static or dynamic? If the users IP address changed due to a DHCP lease expiring, the IP address listed in known hosts won't match.

Could you look in the logs and see what the connection was that was rejected?

I would recommend using pubkey authentication. The instructions are in the comments of the /etc/ssh/sshd_config file; just above the "Use_Pam Yes" line. Make sure the users understand that they need to protect their private keys with a passphrase.

If a user always connects from the same location, you and use "AllowUsers" with the form "user@IP" or "user@hostname". Otherwise you can just list the Username. That will deny attempts from other users including system users who are the target of brute force attacks because they are known.

Changing the external port number for ssh will reduce the number of script kiddie attacks, but won't help if this is a targeted attack from a bot net. You might want to look at using fail2ban to extract the offenders IP address and add it to a blacklist that is blocked automatically.
 
Old 10-07-2009, 10:14 AM   #3
Myiagros
Member
 
Registered: Mar 2009
Distribution: Ubuntu, CentOS 5.3
Posts: 75

Original Poster
Rep: Reputation: 18
DenyHosts is doing the same this that fail2ban does I believe. If someone attempts to get in multiple times their IP is blocked but of course it doesn't do much if someone has a dynamic IP.
What I'm more concerned about right now is limiting the bandwidth that is put on the server from all of the incoming connections. It isn't bad during the week but on weekends when 10-15 people may be working at the same time, causing the server to become busier where using port numbers and forwarding them would skip using the server as the access point.
 
Old 10-07-2009, 11:02 AM   #4
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
Quote:
Originally Posted by Myiagros View Post
I have been trying to improve the security of SSH here at the office but have run into a problem and I am unsure if there is a way around it.
Currently we use SSH for connecting to the network from outside - "ssh -X local.network.com"
We were getting alot of login attempts from outside the network so I added the DenyHosts program to the login server to deny any attacks on the network but there are still people trying and due to the strain on the server from tunneling up to 15 connections at once to the rest of the network, I'd like to set up non-standard ports then do port forwarding so that using SSH to local.network.com along with the correct port you could SSH directly to your workstation.
I have set up the ports in sshd_config and set up port forwarding on the router but there is the problem of the known_hosts file. Any time an SSH is done to local.network.com with a different port number it gives an error: "Offending key in /home/user/.ssh/known_hosts:1"
Is there a way to get around this problem? Maybe a setting with the SSH client?
The error you are getting with the known_hosts is because ssh is doing what it is supposed to and saying infomation has changed.

in the users home directory there is a .ssh folder with the file known_hosts in it the :1 is the corresponding key number.


If you had not ever connected to the server then it would not be an issue. To get around this vi the known_hosts file and remove the corresponding line number and it will then prompt for you to accept the key once you attempt to connect.
 
Old 10-07-2009, 11:25 AM   #5
Myiagros
Member
 
Registered: Mar 2009
Distribution: Ubuntu, CentOS 5.3
Posts: 75

Original Poster
Rep: Reputation: 18
I've found a solution. I knew what the problem was trying to connect. In order to use the same hostname but different ports I had to disable host key checking. The entire guide is here: http://linuxcommando.blogspot.com/20...-checking.html
Now I am able to SSH into the network from the outside to any computer(specified by port) while using the same hostname of "local.network.com"
 
Old 10-07-2009, 12:25 PM   #6
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
Quote:
Originally Posted by Myiagros View Post
I've found a solution. I knew what the problem was trying to connect. In order to use the same hostname but different ports I had to disable host key checking. The entire guide is here: http://linuxcommando.blogspot.com/20...-checking.html
Now I am able to SSH into the network from the outside to any computer(specified by port) while using the same hostname of "local.network.com"
There is no issue with the StrictHostKeyChecking no but i would recommend removeing the UserKnownHostsFile=/dev/null so that it warns that they are different and the user can accept it. That way if something changed it would at least be seen by the user rather than ignored because the key is being sent to dev/null


Host 192.168.0.*
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null


To


Host 192.168.0.*
StrictHostKeyChecking no
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH security. rich_c Linux - Security 16 07-26-2009 12:45 AM
SSH Security pembo13 Linux - Security 20 09-13-2004 09:03 PM
security on ssh spank Linux - Security 1 02-26-2004 02:22 PM
ssh security ashley75 Linux - General 7 09-19-2003 11:15 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration