Solved

SSH security problem

Posted on 2007-03-24
20
458 Views
Last Modified: 2010-04-20
Hi Guys
I use Redhat ES 4.0 on my server
I run a small business with 12 users
I am the only one who uses remote access
I  been  having lately an exessive  number of Brute-Force attacks and am concerned about security.
My router is set up to allow only ssh protocol
router is also set up to bar access while I am not online.  meaning:  server is only vulnerable while I am accessing it remotely.
Soooo
I am looking to limit remote ssh access to one user-id
and restrict remote session to only one at at a time
Meaning:: do not allow a a second remote  ssh login session while one is in progress
Is alternative practical?
Any other alternatives?
Will also consider a commercial solution..
Your help is appreciated
Than you
Dory
0
Comment
Question by:dory550
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 5
20 Comments
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 500 total points
ID: 18785813
There are several ways to manage these automated attacks to ssh

1. There is this scripts "denyhosts" that at the third intent to an account failed, disables ssh for that host. url:  http://denyhosts.sourceforge.net/

2. my preferred solution: disable password login on ssh, so you will need to provide the key if you want access. that way no password based brute-force attack will affect your computer.

how to use keys for everything?
http://sial.org/howto/openssh/publickey-auth/

where to configure key-only?
/etc/sshd/sshd_conf
which lines?
ChallengeResponseAuthentication no
or, if pressent, use this one:
PasswordAuthentication no

you need to restart your sshd service after these changes, so this needs to be done locally and preferable at the console. after you restarted successfully your sshd verify you cannot ssh to the machine with passwords anymore. also assure you can connect using keys.

key based mechanism is way so much secure. and once you learn how to use ssh agent, it's easier too.
0
 
LVL 14

Expert Comment

by:kenfcamp
ID: 18786927
another thing you can do is setup a firewall rule to deny all SSH access except for your local network ip range(s) and your remote IP (assuming it's a static IP)

This can work by itself or in conjunction with the above suggestion

In addition if you have accounts that do not need to login (shell logins) I would also recommend changing their default shell to /bin/none or /bin/false if FTP access is needed. (actual file names and/or paths may differ with your dist)
0
 

Author Comment

by:dory550
ID: 18790697
kenfcamp:

Thanks for your input

Would getting  static IP  enhance my security?
Besides the expense , are there any other downsides?
Dory
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 18791326
downsides for having a static IP are almost none.

with the dynamic ip you are harder to locate, but only that.

you can have a dynamic ip + dynamic dns and the effect is the same.
0
 
LVL 14

Expert Comment

by:kenfcamp
ID: 18792793
[with the dynamic ip you are harder to locate, but only that.]

Redimida, I'd have to agree with you on that, in most cases.

However, if you're trying to block access to everybody except for one specific ip address, having a dynamic remote ip usually will mean that once your ip rotates, you'd be locked out too.

[Would getting  static IP  enhance my security?]

Not in itself no, but it can make life easier in some cases.

0
 

Author Comment

by:dory550
ID: 18796736
Hi Guys
I see that the answer to my Static IIP question is a "Definite Maybe"
Soooo
Let me see if got it straight
If I get a static IP from verizon (at home) I would be able to let my server know what is my static IP
And whenever an ssh connection is attempted  my server would match the ip it has on file with ip of the incoming connection. If it's a match the server allows the connection otherwise it is rejected
In other words static ip will make sense if I mostly connect to my office from one plece (home.)
Static ip will not make sense if travel a lot and connect from various points
Did I understand it correctly?
Dory
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 18797213
you understand correctly

but that easiness is something you can do with the firewall, with ssh not even needing to know.

maybe you would want to give a second look to the keys ssh administration. it's good for what you want and does not require the purchase of a fixed ip
0
 
LVL 14

Expert Comment

by:kenfcamp
ID: 18797256
Even using the key suggestion (which is a good idea), you should really look at tightening the box down.

"IF" you do not intend to allow outside SSH connections from anyone other than yourself, you should tighten it down.

Leaving it open is inviting potential problems. All it will take is 1 user account with a valid shell, and a weak password and you're compermised

Though this is JMO

Ken
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 18797682
mmhh... interesting.

the whole concept here is about passwords.
ssh attack, looking for weak passwords
ssh for only one ip, because of passwords
tightening your box because of passwords

the use of RSA keys (which also use passwords for them) adds an extra level of security: only your private key can ssh to the box. and nobody but you have it. and in the case you left it on some computer, it still has a password on it.

interesting how one can look into one direction for protection but not in the other.
0
 
LVL 14

Expert Comment

by:kenfcamp
ID: 18797728
[interesting how one can look into one direction for protection but not in the other.]

Isn't it though?

I do believe I mentioned you're suggestion was a good idea. However, while it is more secure than passwords, a users private key can still be compromised.

Rather through a firewall, or /etc/host.allow  and /etc/host.deny, services like ssh should be locked down.
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 18797936
kenfcamp:
I'm sorry if my comment sound mean. I was trying to note that all the thread went by the side of locking ip addresses while dory550 still has a dynamic ip. please accept my apologies if you were offended.

Yes, it is more secure to lock ip addresses allowed to ssh, but at the same time it takes out all the flexibility he/she needs for the connection.

Maybe mixing both recommendations would do a better answer. Locking down ip addresses and using keys.

It's also good not to forget to use non standard ports for ssh (security by obscurity, which is not good since a real hacker can bypass it easily, can be a great help locking out automated scripts)
0
 

Author Comment

by:dory550
ID: 18798010
Thank you both for your input
If I read between the lines.  Absoluter safety is an illusion, No one solution is foolproof. The more you "tighten the box "  the more you are "relative safe"
So I coclude this (so far).
!. I need a static IP
3. strong passwords  
3 I need to use a private key
4. disalllow remote root login
5. disallow  remote ssh login to any user accept myself
Looks to me  like step 5 is the hardest here. . Is that where I use the "host.deny" and "host.allow" services?
Would  "host.deny" and "host.allow"  run in every login session or can an intruder somehow prevent them from running ?
If the answer to above question is "yes" then is there any other file that will always execute  no matter what?


Dory


Is  ther a 2nd line of defense where I  also filterCan I filter users







0
 

Author Comment

by:dory550
ID: 18798026

can I implement a 60 seconds interval between failed (ssh only) logins?
Dory
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 18798033
Hi Dory

for 1. my recommendation is not needed, only better.

for ssh hosts.deny and hosts.allow are mandatory. there is no way a user can bypass it unless ssh itself is compromised, which is unlikely if you *also* maintain your boxes more or less up to date.

so the conclusion is yes, hosts.deny can do the trick and you are safe to use it.

Regards
0
 

Author Comment

by:dory550
ID: 18798121
Redimido
I am trying to put all those ducks in a row
Question
can I implement a 60 seconds interval between failed (ssh only) logins?
Is that practical?
If yes. What is the downside?
Dory
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 18800358
I would not do that

better go with a tool that detects failed login attepts for ssh, and at the n-th it disables the offending ip using tcp wrappers.

that exactly is what denyhosts does. and is a great approach.
you can also limit new connections from your firewall to be a certain amount for a given ip (I remember have done something like that some time ago)
0
 
LVL 14

Expert Comment

by:kenfcamp
ID: 18800649
[better go with a tool that detects failed login attepts for ssh, and at the n-th it disables the offending ip using tcp wrappers.]

That's a very good point to bring up.

One such tool that could be used is "fail2ban"

It works with iptables, is very customizable (though the config file can be daunting the first time through)

Ken
0
 

Author Comment

by:dory550
ID: 18813595
Redimido
fail2ban looks like a  good tool  ... thank you

sorry I take a while to respond. I  have to take some time studying what you are suggesting
to understand what I am doing.

I understand that one of the steps I should take is choose a non-default port num
My router is set now to allow only ssh protocol at port range 21-22
I use the following command to connect from a Linux machine at home:
ssh -2 MyOffice.xyzdns.com
Let's say I would like change that to 8022
What steps do I have to take on the host machine to implement that?
Would it suffice to onlly change that to 3305-3306 on the router?
Thanks
Dory
 

0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 18818217
to move to 8022

you should edit /etc/ssh/sshd_config and modify the listen to be on 8022
or
create a rule in iptables forwarding what you receive on 8022 to localhost:22

and open your router for port 8022

to connect you would need
ssh -2 -l 8022 MyOffice.xyzdns.com

you do not need to open more ports than 8022 =)
0
 

Author Comment

by:dory550
ID: 18827387
Redimido
Thank you for your help
Dory
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question