SSH, wifi & basic security.

vomix · 2008-06-13 13:14:23

Hi all,

I'm discovering the joy of wireless connection since two weeks, and I'm now thinking about ssh to have remote access to my old computer, now considered as a huge jukebox: plugged to the hifi system and running MPD!

Actually, it's working great (with a basic ssh configuration, created with the help of the mighty wiki), but I'm a little paranoid about security.

- My network is encrypted with WPA2 and is filtering MAC addresses,
- The two machines (host & client) have both dedicated statics IPs,
- I put the AllowUsers <myusername> option in sshd_config
- The PermitRootLogin no option in sshd_config is working, but I still can login as root with the su command, once logged as a regular user. Is there a way to change this?
- Changing the ssh port seems logic, but to which number? I suppose there's a range to respect, and I don't know if this will affect others applications using certain ports (eg: mpd, rtorrent,...) I'm not familiar with those kind of things, so if someone have some good-and-not-so-technical documentation it would be cool.
- Last question: is there a way to improve the network/ssh security?

Cheers,
Vomix.

sniffles · 2008-06-13 13:29:06

- The PermitRootLogin no option in sshd_config is working, but I still can login as root with the su command, once logged as a regular user. Is there a way to change this?

Sure: chmod 000 `which su` -- and nobody will be able to use "su" [Note: probably dangerous]. The question is, why would you want to do this? What exactly would you be avoiding?

- Changing the ssh port seems logic, but to which number?

Check out /etc/services.

- Last question: is there a way to improve the network/ssh security?

"Network security" is quite a large field. SSH? How about a firewall to make sure only certain boxes can connect? How about doubling that with TCP Wrappers? Are you using passwords or public keys? How about making use of port knocking?

wonder · 2008-06-13 13:29:18

-if you have PermitROotLogin no and you don't want to use su to login as root how do you want the restart services or make a configuration or install new software?
if you have acces directly to computer, do not put user in wheel group and su will not work
EDIT:
i see that i'm wrong
you can change the group of /bin/su to be root:wheel and the permision 750

- changing port isn't good because if somebody want to hack your server he will scan your ip and will find your ssh port even you change it. you can put what port you want even 80 if the server didn't use that one.
- no password login. use keys

Last edited by wonder (2008-06-13 13:36:48)

miggy · 2008-06-13 14:54:14

wheel group restriction does work if you have the correct line in /etc/pam.d/su

auth        required    pam_wheel.so use_uid

it probably is already there just commented at the moment

zenlord · 2008-06-13 15:30:11

vomix wrote:

- My network is encrypted with WPA2 and is filtering MAC addresses,

And you're still paranoid about security?

I think you're exaggerating. If a hacker really wants to break into your system, he'll probably be able to do so no matter what you're doing to avoid it. Using WPA2 wit AES makes it very hard t break in and if you limit the connections to specified MAC-addresses, then your wireless network is a secure as it gets.

To secure the internal network from the evil internet, I would suggest the use of iptables to block all incoming traffic to your machines except the traffic coming from those same MAC-addresses.

Zl.

anrxc · 2008-06-13 15:52:56

vomix wrote:

- Changing the ssh port seems logic, but to which number?

wonder wrote:

- changing port isn't good because if somebody want to hack your server he will scan your ip and will find your ssh port even you change it. you can put what port you want even 80 if the server didn't use that one.

If he puts sshd on some high non standard port he could avoid a large number of automated scanning and bots/brute force attacks. Targeted attacks you wouldn't avoid... security trough obscurity, it's your choice.

Also consider using knockd.

bender02 · 2008-06-13 16:18:04

Or use something to block an IP after some unsuccessful login attempts for a couple of minutes. There are plenty of programs/scripts doing that. For instance denyhosts, sshguard, sshdfilter...

And you should really go with the keys (google for 'ssh keys').

vomix · 2008-06-13 16:20:43

Yeah I know, it's maybe exaggerating, I've surely read to much books / "omg phrakture was hacked!1" threads / or saw to much movies (make your choice ), but I think it's also an opportunity to improve my nonexistent network knowledge.

So, in a first time, I'll replace lame passwords with public keys (I didn't knew it was possible), and have a look at the famous iptables.

Thanks to you all!

Zepp · 2008-06-13 16:23:17

zenlord wrote:

vomix wrote:
- My network is encrypted with WPA2 and is filtering MAC addresses,
If a hacker really wants to break into your system, he'll probably be able to do so no matter what you're doing to avoid it

This is just over exagerating paranoia. Everything isn't hackable like the movies, it is possible to secure a device so that a little determination still won't let people in .

As for securing your wireless. I think WPA2+AES is enouh. SSH however is encrypted regardless so it should be secure regardless if your wifi is open or not. I'd enable public key authentication and disable password authentication as well as root logins. You don't have to worry about being able to su after loggin in since no one should be able to get that far but you .

Changing the SSH port can get rid of those annoying bots that try to brute force their way in, however it is necessary after you have disabled password authentication. They will never succeed if you allow only public key authentication so it is up to you if you want to leave it on 22 or not.

Oh and you can allow/deny certain hosts fro connecting in several ways, including a firewall or directly in the sshd config file.

Last edited by Zepp (2008-06-13 16:23:49)

sniffles · 2008-06-13 16:29:27

Zepp wrote:

This is just over exagerating paranoia. Everything isn't hackable like the movies, it is possible to secure a device so that a little determination still won't let people in .

I'm just curious how one could protect against 0-day exploits. Kernel patches? l. o. l.

Zepp · 2008-06-13 16:34:22

sniffles wrote:

Zepp wrote:
This is just over exagerating paranoia. Everything isn't hackable like the movies, it is possible to secure a device so that a little determination still won't let people in .
I'm just curious how one could protect against 0-day exploits. Kernel patches? l. o. l.

SSH has a pretty damn good track record as far as exploits go, and you are assuming that an exploit exists that is unpatched which there is no guarantee or law that says there must be. Also if a computer has no services listening then it won't be hacked without user intervention, it is that simple.

vomix · 2008-06-14 10:35:26

Yay, I'm successfully using ssh with public keys / ssh-agent / keychain!

There's just one thing. I added some lines in my .bashrc to automatically start keychain when a new term is invoked:

/usr/bin/keychain ~/.ssh/id_dsa
[[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source $HOME/.keychain/$HOSTNAME-s

It's working, but the problem is that keychain's also started when startx is used. And as I'm using mingetty to auto-login at boot, I can't access to my desktop without typing my passphrase at every reboot... So, is there a way to tell keychain to ask the passphrase only when I'm using ssh for the first time in the session?

I hope it's understandable...

Thanks in advance.

sniffles · 2008-06-14 11:16:33

Zepp wrote:

SSH has a pretty damn good track record as far as exploits go, and you are assuming that an exploit exists that is unpatched which there is no guarantee or law that says there must be. Also if a computer has no services listening then it won't be hacked without user intervention, it is that simple.

So do default installs of OpenBSD, yet every now and then: it happens. You are assuming an exploit does not exist. I pref. my assumption. I don't know what you mean by "user intervention". Is running Firefox for example considered user intervention? How about running pacman? I'm talking about client-side exploits. And what about bugs in the kernel itself?

Last edited by sniffles (2008-06-14 11:18:05)

Arch Linux

#1 2008-06-13 13:14:23

SSH, wifi & basic security.

#2 2008-06-13 13:29:06

Re: SSH, wifi & basic security.

#3 2008-06-13 13:29:18

Re: SSH, wifi & basic security.

#4 2008-06-13 14:54:14

Re: SSH, wifi & basic security.

#5 2008-06-13 15:30:11

Re: SSH, wifi & basic security.

#6 2008-06-13 15:52:56

Re: SSH, wifi & basic security.

#7 2008-06-13 16:18:04

Re: SSH, wifi & basic security.

#8 2008-06-13 16:20:43

Re: SSH, wifi & basic security.

#9 2008-06-13 16:23:17

Re: SSH, wifi & basic security.

#10 2008-06-13 16:29:27

Re: SSH, wifi & basic security.

#11 2008-06-13 16:34:22

Re: SSH, wifi & basic security.

#12 2008-06-14 10:35:26

Re: SSH, wifi & basic security.

#13 2008-06-14 11:16:33

Re: SSH, wifi & basic security.

Board footer