Solved

SSH security problem

Posted on 2007-03-24
20
459 Views
Last Modified: 2010-04-20
Hi Guys
I use Redhat ES 4.0 on my server
I run a small business with 12 users
I am the only one who uses remote access
I  been  having lately an exessive  number of Brute-Force attacks and am concerned about security.
My router is set up to allow only ssh protocol
router is also set up to bar access while I am not online.  meaning:  server is only vulnerable while I am accessing it remotely.
Soooo
I am looking to limit remote ssh access to one user-id
and restrict remote session to only one at at a time
Meaning:: do not allow a a second remote  ssh login session while one is in progress
Is alternative practical?
Any other alternatives?
Will also consider a commercial solution..
Your help is appreciated
Than you
Dory
0
Comment
Question by:dory550
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 5
20 Comments
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 500 total points
ID: 18785813
There are several ways to manage these automated attacks to ssh

1. There is this scripts "denyhosts" that at the third intent to an account failed, disables ssh for that host. url:  http://denyhosts.sourceforge.net/

2. my preferred solution: disable password login on ssh, so you will need to provide the key if you want access. that way no password based brute-force attack will affect your computer.

how to use keys for everything?
http://sial.org/howto/openssh/publickey-auth/

where to configure key-only?
/etc/sshd/sshd_conf
which lines?
ChallengeResponseAuthentication no
or, if pressent, use this one:
PasswordAuthentication no

you need to restart your sshd service after these changes, so this needs to be done locally and preferable at the console. after you restarted successfully your sshd verify you cannot ssh to the machine with passwords anymore. also assure you can connect using keys.

key based mechanism is way so much secure. and once you learn how to use ssh agent, it's easier too.
0
 
LVL 14

Expert Comment

by:kenfcamp
ID: 18786927
another thing you can do is setup a firewall rule to deny all SSH access except for your local network ip range(s) and your remote IP (assuming it's a static IP)

This can work by itself or in conjunction with the above suggestion

In addition if you have accounts that do not need to login (shell logins) I would also recommend changing their default shell to /bin/none or /bin/false if FTP access is needed. (actual file names and/or paths may differ with your dist)
0
 

Author Comment

by:dory550
ID: 18790697
kenfcamp:

Thanks for your input

Would getting  static IP  enhance my security?
Besides the expense , are there any other downsides?
Dory
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 18791326
downsides for having a static IP are almost none.

with the dynamic ip you are harder to locate, but only that.

you can have a dynamic ip + dynamic dns and the effect is the same.
0
 
LVL 14

Expert Comment

by:kenfcamp
ID: 18792793
[with the dynamic ip you are harder to locate, but only that.]

Redimida, I'd have to agree with you on that, in most cases.

However, if you're trying to block access to everybody except for one specific ip address, having a dynamic remote ip usually will mean that once your ip rotates, you'd be locked out too.

[Would getting  static IP  enhance my security?]

Not in itself no, but it can make life easier in some cases.

0
 

Author Comment

by:dory550
ID: 18796736
Hi Guys
I see that the answer to my Static IIP question is a "Definite Maybe"
Soooo
Let me see if got it straight
If I get a static IP from verizon (at home) I would be able to let my server know what is my static IP
And whenever an ssh connection is attempted  my server would match the ip it has on file with ip of the incoming connection. If it's a match the server allows the connection otherwise it is rejected
In other words static ip will make sense if I mostly connect to my office from one plece (home.)
Static ip will not make sense if travel a lot and connect from various points
Did I understand it correctly?
Dory
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 18797213
you understand correctly

but that easiness is something you can do with the firewall, with ssh not even needing to know.

maybe you would want to give a second look to the keys ssh administration. it's good for what you want and does not require the purchase of a fixed ip
0
 
LVL 14

Expert Comment

by:kenfcamp
ID: 18797256
Even using the key suggestion (which is a good idea), you should really look at tightening the box down.

"IF" you do not intend to allow outside SSH connections from anyone other than yourself, you should tighten it down.

Leaving it open is inviting potential problems. All it will take is 1 user account with a valid shell, and a weak password and you're compermised

Though this is JMO

Ken
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 18797682
mmhh... interesting.

the whole concept here is about passwords.
ssh attack, looking for weak passwords
ssh for only one ip, because of passwords
tightening your box because of passwords

the use of RSA keys (which also use passwords for them) adds an extra level of security: only your private key can ssh to the box. and nobody but you have it. and in the case you left it on some computer, it still has a password on it.

interesting how one can look into one direction for protection but not in the other.
0
 
LVL 14

Expert Comment

by:kenfcamp
ID: 18797728
[interesting how one can look into one direction for protection but not in the other.]

Isn't it though?

I do believe I mentioned you're suggestion was a good idea. However, while it is more secure than passwords, a users private key can still be compromised.

Rather through a firewall, or /etc/host.allow  and /etc/host.deny, services like ssh should be locked down.
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 18797936
kenfcamp:
I'm sorry if my comment sound mean. I was trying to note that all the thread went by the side of locking ip addresses while dory550 still has a dynamic ip. please accept my apologies if you were offended.

Yes, it is more secure to lock ip addresses allowed to ssh, but at the same time it takes out all the flexibility he/she needs for the connection.

Maybe mixing both recommendations would do a better answer. Locking down ip addresses and using keys.

It's also good not to forget to use non standard ports for ssh (security by obscurity, which is not good since a real hacker can bypass it easily, can be a great help locking out automated scripts)
0
 

Author Comment

by:dory550
ID: 18798010
Thank you both for your input
If I read between the lines.  Absoluter safety is an illusion, No one solution is foolproof. The more you "tighten the box "  the more you are "relative safe"
So I coclude this (so far).
!. I need a static IP
3. strong passwords  
3 I need to use a private key
4. disalllow remote root login
5. disallow  remote ssh login to any user accept myself
Looks to me  like step 5 is the hardest here. . Is that where I use the "host.deny" and "host.allow" services?
Would  "host.deny" and "host.allow"  run in every login session or can an intruder somehow prevent them from running ?
If the answer to above question is "yes" then is there any other file that will always execute  no matter what?


Dory


Is  ther a 2nd line of defense where I  also filterCan I filter users







0
 

Author Comment

by:dory550
ID: 18798026

can I implement a 60 seconds interval between failed (ssh only) logins?
Dory
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 18798033
Hi Dory

for 1. my recommendation is not needed, only better.

for ssh hosts.deny and hosts.allow are mandatory. there is no way a user can bypass it unless ssh itself is compromised, which is unlikely if you *also* maintain your boxes more or less up to date.

so the conclusion is yes, hosts.deny can do the trick and you are safe to use it.

Regards
0
 

Author Comment

by:dory550
ID: 18798121
Redimido
I am trying to put all those ducks in a row
Question
can I implement a 60 seconds interval between failed (ssh only) logins?
Is that practical?
If yes. What is the downside?
Dory
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 18800358
I would not do that

better go with a tool that detects failed login attepts for ssh, and at the n-th it disables the offending ip using tcp wrappers.

that exactly is what denyhosts does. and is a great approach.
you can also limit new connections from your firewall to be a certain amount for a given ip (I remember have done something like that some time ago)
0
 
LVL 14

Expert Comment

by:kenfcamp
ID: 18800649
[better go with a tool that detects failed login attepts for ssh, and at the n-th it disables the offending ip using tcp wrappers.]

That's a very good point to bring up.

One such tool that could be used is "fail2ban"

It works with iptables, is very customizable (though the config file can be daunting the first time through)

Ken
0
 

Author Comment

by:dory550
ID: 18813595
Redimido
fail2ban looks like a  good tool  ... thank you

sorry I take a while to respond. I  have to take some time studying what you are suggesting
to understand what I am doing.

I understand that one of the steps I should take is choose a non-default port num
My router is set now to allow only ssh protocol at port range 21-22
I use the following command to connect from a Linux machine at home:
ssh -2 MyOffice.xyzdns.com
Let's say I would like change that to 8022
What steps do I have to take on the host machine to implement that?
Would it suffice to onlly change that to 3305-3306 on the router?
Thanks
Dory
 

0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 18818217
to move to 8022

you should edit /etc/ssh/sshd_config and modify the listen to be on 8022
or
create a rule in iptables forwarding what you receive on 8022 to localhost:22

and open your router for port 8022

to connect you would need
ssh -2 -l 8022 MyOffice.xyzdns.com

you do not need to open more ports than 8022 =)
0
 

Author Comment

by:dory550
ID: 18827387
Redimido
Thank you for your help
Dory
0

Featured Post

Create Professional Looking Email Signatures

Create "Professional HTML Email Signatures" with ease.
7 Day Money Back Guarantee if not 100% Satisfied.
Affordable - Try it out for 7 Days Totally Risk Free.
Installers provided for over 45 Email clients.
Both Windows & MAC Supported.
Highly Recommended!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
can i read my emails on lamp ftp 4 70
plsql job on oracle 18 109
Understanding ping command in Ubuntu 5 64
Frequency of Windows Server updates 27 134
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question