Solved

SSH security problem

Posted on 2007-03-24
20
445 Views
Last Modified: 2010-04-20
Hi Guys
I use Redhat ES 4.0 on my server
I run a small business with 12 users
I am the only one who uses remote access
I  been  having lately an exessive  number of Brute-Force attacks and am concerned about security.
My router is set up to allow only ssh protocol
router is also set up to bar access while I am not online.  meaning:  server is only vulnerable while I am accessing it remotely.
Soooo
I am looking to limit remote ssh access to one user-id
and restrict remote session to only one at at a time
Meaning:: do not allow a a second remote  ssh login session while one is in progress
Is alternative practical?
Any other alternatives?
Will also consider a commercial solution..
Your help is appreciated
Than you
Dory
0
Comment
Question by:dory550
  • 8
  • 7
  • 5
20 Comments
 
LVL 19

Accepted Solution

by:
Redimido earned 500 total points
ID: 18785813
There are several ways to manage these automated attacks to ssh

1. There is this scripts "denyhosts" that at the third intent to an account failed, disables ssh for that host. url:  http://denyhosts.sourceforge.net/

2. my preferred solution: disable password login on ssh, so you will need to provide the key if you want access. that way no password based brute-force attack will affect your computer.

how to use keys for everything?
http://sial.org/howto/openssh/publickey-auth/

where to configure key-only?
/etc/sshd/sshd_conf
which lines?
ChallengeResponseAuthentication no
or, if pressent, use this one:
PasswordAuthentication no

you need to restart your sshd service after these changes, so this needs to be done locally and preferable at the console. after you restarted successfully your sshd verify you cannot ssh to the machine with passwords anymore. also assure you can connect using keys.

key based mechanism is way so much secure. and once you learn how to use ssh agent, it's easier too.
0
 
LVL 13

Expert Comment

by:kenfcamp
ID: 18786927
another thing you can do is setup a firewall rule to deny all SSH access except for your local network ip range(s) and your remote IP (assuming it's a static IP)

This can work by itself or in conjunction with the above suggestion

In addition if you have accounts that do not need to login (shell logins) I would also recommend changing their default shell to /bin/none or /bin/false if FTP access is needed. (actual file names and/or paths may differ with your dist)
0
 

Author Comment

by:dory550
ID: 18790697
kenfcamp:

Thanks for your input

Would getting  static IP  enhance my security?
Besides the expense , are there any other downsides?
Dory
0
 
LVL 19

Expert Comment

by:Redimido
ID: 18791326
downsides for having a static IP are almost none.

with the dynamic ip you are harder to locate, but only that.

you can have a dynamic ip + dynamic dns and the effect is the same.
0
 
LVL 13

Expert Comment

by:kenfcamp
ID: 18792793
[with the dynamic ip you are harder to locate, but only that.]

Redimida, I'd have to agree with you on that, in most cases.

However, if you're trying to block access to everybody except for one specific ip address, having a dynamic remote ip usually will mean that once your ip rotates, you'd be locked out too.

[Would getting  static IP  enhance my security?]

Not in itself no, but it can make life easier in some cases.

0
 

Author Comment

by:dory550
ID: 18796736
Hi Guys
I see that the answer to my Static IIP question is a "Definite Maybe"
Soooo
Let me see if got it straight
If I get a static IP from verizon (at home) I would be able to let my server know what is my static IP
And whenever an ssh connection is attempted  my server would match the ip it has on file with ip of the incoming connection. If it's a match the server allows the connection otherwise it is rejected
In other words static ip will make sense if I mostly connect to my office from one plece (home.)
Static ip will not make sense if travel a lot and connect from various points
Did I understand it correctly?
Dory
0
 
LVL 19

Expert Comment

by:Redimido
ID: 18797213
you understand correctly

but that easiness is something you can do with the firewall, with ssh not even needing to know.

maybe you would want to give a second look to the keys ssh administration. it's good for what you want and does not require the purchase of a fixed ip
0
 
LVL 13

Expert Comment

by:kenfcamp
ID: 18797256
Even using the key suggestion (which is a good idea), you should really look at tightening the box down.

"IF" you do not intend to allow outside SSH connections from anyone other than yourself, you should tighten it down.

Leaving it open is inviting potential problems. All it will take is 1 user account with a valid shell, and a weak password and you're compermised

Though this is JMO

Ken
0
 
LVL 19

Expert Comment

by:Redimido
ID: 18797682
mmhh... interesting.

the whole concept here is about passwords.
ssh attack, looking for weak passwords
ssh for only one ip, because of passwords
tightening your box because of passwords

the use of RSA keys (which also use passwords for them) adds an extra level of security: only your private key can ssh to the box. and nobody but you have it. and in the case you left it on some computer, it still has a password on it.

interesting how one can look into one direction for protection but not in the other.
0
 
LVL 13

Expert Comment

by:kenfcamp
ID: 18797728
[interesting how one can look into one direction for protection but not in the other.]

Isn't it though?

I do believe I mentioned you're suggestion was a good idea. However, while it is more secure than passwords, a users private key can still be compromised.

Rather through a firewall, or /etc/host.allow  and /etc/host.deny, services like ssh should be locked down.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 19

Expert Comment

by:Redimido
ID: 18797936
kenfcamp:
I'm sorry if my comment sound mean. I was trying to note that all the thread went by the side of locking ip addresses while dory550 still has a dynamic ip. please accept my apologies if you were offended.

Yes, it is more secure to lock ip addresses allowed to ssh, but at the same time it takes out all the flexibility he/she needs for the connection.

Maybe mixing both recommendations would do a better answer. Locking down ip addresses and using keys.

It's also good not to forget to use non standard ports for ssh (security by obscurity, which is not good since a real hacker can bypass it easily, can be a great help locking out automated scripts)
0
 

Author Comment

by:dory550
ID: 18798010
Thank you both for your input
If I read between the lines.  Absoluter safety is an illusion, No one solution is foolproof. The more you "tighten the box "  the more you are "relative safe"
So I coclude this (so far).
!. I need a static IP
3. strong passwords  
3 I need to use a private key
4. disalllow remote root login
5. disallow  remote ssh login to any user accept myself
Looks to me  like step 5 is the hardest here. . Is that where I use the "host.deny" and "host.allow" services?
Would  "host.deny" and "host.allow"  run in every login session or can an intruder somehow prevent them from running ?
If the answer to above question is "yes" then is there any other file that will always execute  no matter what?


Dory


Is  ther a 2nd line of defense where I  also filterCan I filter users







0
 

Author Comment

by:dory550
ID: 18798026

can I implement a 60 seconds interval between failed (ssh only) logins?
Dory
0
 
LVL 19

Expert Comment

by:Redimido
ID: 18798033
Hi Dory

for 1. my recommendation is not needed, only better.

for ssh hosts.deny and hosts.allow are mandatory. there is no way a user can bypass it unless ssh itself is compromised, which is unlikely if you *also* maintain your boxes more or less up to date.

so the conclusion is yes, hosts.deny can do the trick and you are safe to use it.

Regards
0
 

Author Comment

by:dory550
ID: 18798121
Redimido
I am trying to put all those ducks in a row
Question
can I implement a 60 seconds interval between failed (ssh only) logins?
Is that practical?
If yes. What is the downside?
Dory
0
 
LVL 19

Expert Comment

by:Redimido
ID: 18800358
I would not do that

better go with a tool that detects failed login attepts for ssh, and at the n-th it disables the offending ip using tcp wrappers.

that exactly is what denyhosts does. and is a great approach.
you can also limit new connections from your firewall to be a certain amount for a given ip (I remember have done something like that some time ago)
0
 
LVL 13

Expert Comment

by:kenfcamp
ID: 18800649
[better go with a tool that detects failed login attepts for ssh, and at the n-th it disables the offending ip using tcp wrappers.]

That's a very good point to bring up.

One such tool that could be used is "fail2ban"

It works with iptables, is very customizable (though the config file can be daunting the first time through)

Ken
0
 

Author Comment

by:dory550
ID: 18813595
Redimido
fail2ban looks like a  good tool  ... thank you

sorry I take a while to respond. I  have to take some time studying what you are suggesting
to understand what I am doing.

I understand that one of the steps I should take is choose a non-default port num
My router is set now to allow only ssh protocol at port range 21-22
I use the following command to connect from a Linux machine at home:
ssh -2 MyOffice.xyzdns.com
Let's say I would like change that to 8022
What steps do I have to take on the host machine to implement that?
Would it suffice to onlly change that to 3305-3306 on the router?
Thanks
Dory
 

0
 
LVL 19

Expert Comment

by:Redimido
ID: 18818217
to move to 8022

you should edit /etc/ssh/sshd_config and modify the listen to be on 8022
or
create a rule in iptables forwarding what you receive on 8022 to localhost:22

and open your router for port 8022

to connect you would need
ssh -2 -l 8022 MyOffice.xyzdns.com

you do not need to open more ports than 8022 =)
0
 

Author Comment

by:dory550
ID: 18827387
Redimido
Thank you for your help
Dory
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now