Tougher SSH

arooaroo · 2005-05-06 11:11:52

Hi,

After seeing Phraks unfortunate tale about being hacke via ssh [ur]http://bbs.archlinux.org/viewtopic.php?t=12192[/url], I thought we could start a thread containing help on how to toughen up ssh, and even Linux as a whole to reduce our chances of this attack.

I personally am after tips because I'm worried that I'm not sufficiently protected.

kth5 · 2005-05-06 11:20:22

first of all here are 3 things i always modify in sshd_config:

Port 222
Protocol 2
PermitRootLogin no

running the sshd on a different port usually increases the effort needed to even detect if sshd is running on the host. also like in the thread was mentioned, i disable protocol version 1 which was replaced for security reasons by version 2.
not allowing root to login adds additional advantages, now the cracker also has to find a valid username. ;p

the most secure way would be to also work with hosts.allow/.deny but that would require a static ip, doesn't it?

another measure would be to disable the password challenge completely and to authenticate via ssh keys.

iphitus · 2005-05-06 12:05:10

didnt I hear phrak say he didnt run a firewall at some stage or another?

that might have helped.

cmp · 2005-05-06 12:44:41

What about an auto-configure script for security which creates the most imporant files and gives some hints how to adjust them to individual needs? I guess this is against the arch-way, but it could be helpfull for users like me, who just rely on a hardware firewall.

i3839 · 2005-05-06 12:51:19

No a firewall doesn't help much, not if you want to ssh into the box from everywhere...

If you use another port then use a very high port, something like 22222, because the lower ones are scanned for sure and within seconds. Adding /etc/ssh/sshd_config to the noupgrade list is a good idea too.

Also using keys instead of passwords increases security a lot. The key itself can be protected by a password too, if you don't totally trust the place where the key is (e.g. usb stick).

Personally I only accept ssh logins from the university. If I want to ssh into my box from somewhere else I first ssh to the uni and from there to my home.

phrakture · 2005-05-06 14:28:25

ok, for the record, a firewall wouldn't have mattered because I opened up ssh. The port was an obscure "9918", and I had "PermitRootLogin no" set... the thing was, when I checked the demolished partition (yeah, they trashed my partition table...) this setting was overwritten.

Because I had root logon denied, and my normal ssh user was pretty difficult to crack (12 char password, including numbers and punctuation stuff), I left my root password a bit insecure (it was suceptable to a dictionary attack)

Basically it was a combo of two things: the sshd_config getting overwritten, and me being careless

For the future, I'm going to make sure pacman never overwrites my sshd_config, and I think I'll start using ssh keys 8)

phrakture · 2005-05-06 15:52:33

kth5 wrote:

running the sshd on a different port usually increases the effort needed to even detect if sshd is running on the host.

just a note, what I do (did? heh) is to let it stay on port 22, to make local network access easy, and have the router forward port 9918 to port 22 on my machine... that way, locally it's a proper ssh port, but to the world, it's something obscure.

Also, I'm going to drop using passwords and use challenge-response keys, like kth5/i3839 pointed out (it's a hassle to copy this things, so I never bothered... and now it's more of a hassle to reinstall :oops: ).

    PasswordAuthentication no
    PubkeyAuthentication yes

mico · 2005-05-06 16:33:59

phrakture wrote:

Basically it was a combo of two things: the sshd_config getting overwritten, and me being careless
For the future, I'm going to make sure pacman never overwrites my sshd_config, and I think I'll start using ssh keys 8)

/var/abs/daemons/openssh/PKGBUILD:

...
backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd')
...

You were surely notified when the config was replaced. You should always pay attention to warnings like "saved as /etc/foo.conf.pacsave". I always, and I do mean always, compare the config files and change the new one if needed. Simply keeping old config may not be such a good idea, because sometimes options are changed with new version so it is a good idea to check that.

phrakture · 2005-05-06 16:46:59

mico wrote:

You were surely notified when the config was replaced. You should always pay attention to warnings like "saved as /etc/foo.conf.pacsave".

Yeah, like I said, I was careless...

vacant · 2005-05-06 16:50:33

Can't say I've looked at it much, but I wonder if chkrootkit could be modified to check a subset of critical files as a cron job? Prakture's problems were caused by an ssh Arch upgrade destroying his security.

phrakture · 2005-05-06 17:20:35

vacant wrote:

Prakture's problems were caused by an ssh Arch upgrade destroying his security.

well, that's not entirely true - it was caused by an upgrade and me being lazy - I'm not blaming the upgrade, because it was my fault for not paying attention

lucke · 2005-05-06 17:56:00

Oh, you could blame me, phrak ;-) It was due to my request of taking advantage of pam in sshd (ulimit stuff) that sshd package was updated and, in the effect, your sshd_config overwritten ;-) Evil me.

darkcoder · 2005-05-06 19:01:41

not Arch related, but this is for anyone that has a firewall or server. Check the three lines specified at the begining of the post on all the machines you have with ssh running. Found that my Smoothwall machine do in fact allow root logins and also has the Protocol line commented.

phrakture · 2005-05-06 19:03:34

darkcoder wrote:

Found that my Smoothwall machine do in fact allow root logins and also has the Protocol line commented.

yikes, I'd hope at least that the external port was shut off (if only the LAN ssh port was open, that'd make sense, as it allows ssh in for administration)

darkcoder · 2005-05-06 19:18:58

a firewall is always welcome.

It's not the same a nmap output from this non-firewall system

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-05-06 15:13 VET
Interesting ports on ddd.mydomain.sample (x.x.x.x):
(The 1656 ports scanned but not shown below are in state: closed)
PORT      STATE    SERVICE
21/tcp    open     ftp
53/tcp    open     domain
111/tcp   open     rpcbind
222/tcp   open     rsh-spx
1720/tcp  filtered H.323/Q.931
6000/tcp  open     X11
10000/tcp open     snet-sensor-mgmt

and this firewalled system

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-05-06 15:16 VET
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0

cactus · 2005-05-06 19:19:24

what I do to help secure my ssh setup:
/etc/ssh/sshd_config

Protocol 2
ChallengeResponseAuthentication=no
UsePAM yes
UseDNS no
AllowUsers eliott

I dont bother changing the port, because a port scanner would pick it up quickly anyway.

/etc/hosts.allow

sshd:192.168.1.

I have another commented out line that allows a few more external hosts, but I haven't been using them for a while, so I commented them out.

phrakture · 2005-05-06 19:22:54

cactus wrote:

I dont bother changing the port, because a port scanner would pick it up quickly anyway.

Agreed, but changing the port is still defense against novices...

In reference to the "AllowUsers" - it might be noted that "AllowGroups" works too (for, say, and ssh_users group)

darkcoder · 2005-05-06 19:26:59

cactus wrote:

I dont bother changing the port, because a port scanner would pick it up quickly anyway.

Depends on how you set up the firewall

nmap output with -P0 option

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-05-06 15:27 VET
All 1663 scanned ports on x.x.x.x are: filtered

cactus · 2005-05-06 20:01:37

1) Not a complete scan
2) If the ports are filtered, then ssh access isn't allowed anyway. I fail to see the point.

It also depends on what mechanism you are using (ie connect, ack, syn, fin|ack, fin)..

sweiss · 2005-05-06 20:24:37

Isn't there a way of suspending the service after a certain number of failed attempts? Suppose you fail to log in 3 times in a row, you are denied the service for 5 minutes.

lucke · 2005-05-06 20:49:57

I guess pam_tally and pam_abl could be found useful for that. I'm gonna look into it.

darkcoder · 2005-05-06 20:53:53

My first post in this thread has two samples from different machines. One is a Linux box I know it do not have a firewall, and the other is my machine. In my machine ssh was not enabled anyway. Later I enable it, check that I can be able to login, and then perform the nmap test. With -PI was marking as ports blocked (no output). only the -P0 option shows the port open.

Gullible Jones · 2005-05-06 21:26:51

Question: is there an option to block all attempts at access for a given amount of time after a given number of unsuccessful tries? How about an option to shut down the daemon completely after a given number of unsuccessful access attempts?

(Example: after 10 unsuccessful attempts, all attempts will be blocked for 15 minutes. In addition, sshd will terminate itself after 30 unsuccessful attempts.)

lucke · 2005-05-06 22:03:16

That's what pam_tally and pam_abl ought to do, more or less. They just block the access after a given number of failed login attempts from a given user/host and possibly unblock it after given time. In that case, blocking the access means refusing even the proper password. Shutting sshd down shouldn't be necessary whatsoever (unless we're talking about ddos attacks, but that's a different story), as no access shall be granted anyway.

Gullible Jones · 2005-05-06 22:10:25

Oh shit, I posted something that was already posted just a few paragraphs above... :oops: Sorry.

Arch Linux

#1 2005-05-06 11:11:52

Tougher SSH

#2 2005-05-06 11:20:22

Re: Tougher SSH

#3 2005-05-06 12:05:10

Re: Tougher SSH

#4 2005-05-06 12:44:41

Re: Tougher SSH

#5 2005-05-06 12:51:19

Re: Tougher SSH

#6 2005-05-06 14:28:25

Re: Tougher SSH

#7 2005-05-06 15:52:33

Re: Tougher SSH

#8 2005-05-06 16:33:59

Re: Tougher SSH

#9 2005-05-06 16:46:59

Re: Tougher SSH

#10 2005-05-06 16:50:33

Re: Tougher SSH

#11 2005-05-06 17:20:35

Re: Tougher SSH

#12 2005-05-06 17:56:00

Re: Tougher SSH

#13 2005-05-06 19:01:41

Re: Tougher SSH

#14 2005-05-06 19:03:34

Re: Tougher SSH

#15 2005-05-06 19:18:58

Re: Tougher SSH

#16 2005-05-06 19:19:24

Re: Tougher SSH

#17 2005-05-06 19:22:54

Re: Tougher SSH

#18 2005-05-06 19:26:59

Re: Tougher SSH

#19 2005-05-06 20:01:37

Re: Tougher SSH

#20 2005-05-06 20:24:37

Re: Tougher SSH

#21 2005-05-06 20:49:57

Re: Tougher SSH

#22 2005-05-06 20:53:53

Re: Tougher SSH

#23 2005-05-06 21:26:51

Re: Tougher SSH

#24 2005-05-06 22:03:16

Re: Tougher SSH

#25 2005-05-06 22:10:25

Re: Tougher SSH

Board footer